diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3b5648bc2e..8377f170ae 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19448,7 +19448,7 @@ { "source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md", "redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/support-scams.md", @@ -19498,7 +19498,7 @@ { "source_path": "education/itadmins.yml", "redirect_url": "/education", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "education/partners.yml", @@ -19539,6 +19539,21 @@ "source_path": "windows/client-management/mdm/messaging-csp.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false - } + }, + { + "source_path": "windows/client-management/mdm/policymanager-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/proxy-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/img-boot-sequence.md", + "redirect_url": "/windows/client-management/advanced-troubleshooting-boot-problems#boot-sequence", + "redirect_document_id": false + } ] } diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ef3a69ff52..3bf0503686 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -2,104 +2,84 @@ Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs. This page covers the basic steps for editing our technical documentation. +For a more up-to-date and complete contribution guide, see the main [Microsoft Docs contributor guide overview](https://docs.microsoft.com/contribute/). ## Sign a CLA -All contributors who are ***not*** a Microsoft employee must [sign a Microsoft Contribution Licensing Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories. -If you've already edited within Microsoft repositories in the past, congratulations! +All contributors who are ***not*** a Microsoft employee or vendor must [sign a Microsoft Contributor License Agreement (CLA)](https://cla.microsoft.com/) before editing any Microsoft repositories. +If you've already edited within Microsoft repositories in the past, congratulations! You've already completed this step. ## Editing topics We've tried to make editing an existing, public file as simple as possible. ->**Note**
->At this time, only the English (en-us) content is available for editing. +> **Note**
+> At this time, only the English (en-us) content is available for editing. If you have suggestions for edits to localized content, file feedback on the article. -**To edit a topic** +### To edit a topic -1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**. +1. Go to the page on [docs.microsoft.com](https://docs.microsoft.com/) that you want to update. - ![GitHub Web, showing the Edit link.](images/contribute-link.png) + > **Note**
+ > If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.docs.microsoft.com/help/get-started/edit-article-in-github?branch=main). -2. Log into (or sign up for) a GitHub account. - - You must have a GitHub account to get to the page that lets you edit a topic. +1. Then select the **Pencil** icon. -3. Click the **Pencil** icon (in the red box) to edit the content. + ![Microsoft Docs Web, showing the Edit This Document link.](images/contribute-link.png) - ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png) + If the pencil icon isn't present, the content might not be open to public contributions. Some pages are generated (for example, from inline documentation in code) and must be edited in the project they belong to. This isn't always the case and you might be able to find the documentation by searching the [Microsoft Docs Organization on GitHub](https://github.com/MicrosoftDocs). -4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see: - - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring) - - - **If you're external to Microsoft:** [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) + > **TIP**
+ > View the page source in your browser, and look for the following metadata: `original_content_git_url`. This path always points to the source markdown file for the article. -5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct. +1. In GitHub, select the **Pencil** icon to edit the article. If the pencil icon is grayed out, you need to either sign in to your GitHub account or create a new account. - ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png) + ![GitHub Web, showing the Pencil icon.](images/pencil-icon.png) -6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account. +1. Using Markdown language, make your changes to the file. For info about how to edit content using Markdown, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference) and GitHub's [Mastering Markdown](https://guides.github.com/features/mastering-markdown/) documentation. - ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png) +1. Make your suggested change, and then select **Preview changes** to make sure it looks correct. - The **Comparing changes** screen appears to see what the changes are between your fork and the original content. + ![GitHub Web, showing the Preview changes tab.](images/preview-changes.png) -7. On the **Comparing changes** screen, you’ll see if there are any problems with the file you’re checking in. +1. When you're finished editing, scroll to the bottom of the page. In the **Propose changes** area, enter a title and optionally a description for your changes. The title will be the first line of the commit message. Briefly state _what_ you changed. Select **Propose changes** to commit your changes: + + ![GitHub Web, showing the Propose changes button.](images/propose-changes.png) + +1. The **Comparing changes** screen appears to show what the changes are between your fork and the original content. On the **Comparing changes** screen, you'll see if there are any problems with the file you're checking. If there are no problems, you'll see the message **Able to merge**. - If there are no problems, you’ll see the message, **Able to merge**. - ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png) -8. Click **Create pull request**. + Select **Create pull request**. Next, enter a title and description to give the approver the appropriate context about _why_ you're suggesting this change. Make sure that only your changed files are in this pull request; otherwise, you could overwrite changes from other people. -9. Enter a title and description to give the approver the appropriate context about what’s in the request. +1. Select **Create pull request** again to actually submit the pull request. -10. Scroll to the bottom of the page, making sure that only your changed files are in this pull request. Otherwise, you could overwrite changes from other people. + The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to their respective article. This repository contains articles on some of the following topics: -11. Click **Create pull request** again to actually submit the pull request. - - The pull request is sent to the writer of the topic and your edits are reviewed. If your request is accepted, updates are published to one of the following places: - - - [Windows 10](https://docs.microsoft.com/windows/windows-10) - - - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy) - - - [Surface](https://docs.microsoft.com/surface) - - - [Surface Hub](https://docs.microsoft.com/surface-hub) - - - [HoloLens](https://docs.microsoft.com/hololens) - + - [Windows client documentation for IT Pros](https://docs.microsoft.com/windows/resources/) - [Microsoft Store](https://docs.microsoft.com/microsoft-store) - - [Windows 10 for Education](https://docs.microsoft.com/education/windows) - - [Windows 10 for SMB](https://docs.microsoft.com/windows/smb) - - - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer) - - - [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/microsoft-desktop-optimization-pack) - + - [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/) ## Making more substantial changes -To make substantial changes to an existing article, add or change images, or contribute a new article, you will need to create a local clone of the content. -For info about creating a fork or clone, see the GitHub help topic, [Fork a Repo](https://help.github.com/articles/fork-a-repo/). +To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content. +For info about creating a fork or clone, see [Set up a local Git repository](https://docs.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful. -Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Then open a pull request back to the master branch of the official repo. +Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo. ## Using issues to provide feedback on documentation If you just want to provide feedback rather than directly modifying actual documentation pages, you can create an issue in the repository. -At the top of a topic page you'll see an **Issues** tab. Click the tab and then click the **New issue** button. +At the top of an article, you'll see a feedback icon. Select the icon to go to the **Feedback** section at the bottom of the article. Then select **This page** to file feedback for the current article. -Be sure to include the topic title and the URL for the page you're submitting the issue for, if that page is different from the page you launched the **New issue** dialog from. +In the new issue form, enter a brief title. In the body of the form, describe the concern, but don't modify the **Document Details** section. You can use markdown in this form. When you're ready, select **Submit new issue**. ## Resources -You can use your favorite text editor to edit Markdown. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft. - -You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). - +- You can use your favorite text editor to edit Markdown files. We recommend [Visual Studio Code](https://code.visualstudio.com/), a free lightweight open source editor from Microsoft. +- You can learn the basics of Markdown in just a few minutes. To get started, check out [Mastering Markdown](https://guides.github.com/features/mastering-markdown/). +- Microsoft Docs uses several custom Markdown extensions. To learn more, see the [Microsoft Docs Markdown reference](https://docs.microsoft.com/contribute/markdown-reference). diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 87443100ce..70532ccda4 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -111,7 +111,7 @@ Back up all your data before installing Windows 10 in S mode. Only personal file Windows 10 in S mode doesn't support non-Azure Active Directory domain accounts. Before installing Windows 10 in S mode, you must have at least one of these administrator accounts: - Local administrator -- Microsoft Account (MSA) administrator +- Microsoft account administrator - Azure Active Directory administrator > [!WARNING] diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 7ce8bd2724..9090762b1e 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation| |Duo from Cisco |2.25.0 |Win32 |Cisco| |e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking| +|eTests |4.0.25 |Win32 |CASAS| |FortiClient |7.0.1.0083 |Win32 |Fortinet| |Free NaturalReader |16.1.2 |Win32 |Natural Soft| |GoGuardian |1.4.4 |Win32 |GoGuardian| @@ -73,7 +74,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |NextUp Talker |1.0.49 |Win32 |NextUp Technologies| |NonVisual Desktop Access |2021.3.1 |Win32 |NV Access| |NWEA Secure Testing Browser |5.4.300.0 |Win32 |NWEA| -|Pearson TestNav |1.10.2.0 |Win32 |Pearson| +|Pearson TestNav |1.10.2.0 |Store |Pearson| |Questar Secure Browser |4.8.3.376 |Win32 |Questar| |ReadAndWriteForWindows |12.0.60.0 |Win32 |Texthelp Ltd.| |Remote Help |3.8.0.12 |Win32 |Microsoft| @@ -81,7 +82,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |Safe Exam Browser |3.3.2.413 |Win32 |Safe Exam Browser| |Secure Browser |14.0.0 |Win32 |Cambium Development| |Secure Browser |4.8.3.376 |Win32 |Questar, Inc| -|SensoCloud test |2021.11.15.0 |Win32|Senso.Cloud| +|Senso.Cloud |2021.11.15.0 |Win32|Senso.Cloud| |SuperNova Magnifier & Screen Reader |21.02 |Win32 |Dolphin Computer Access| |Zoom |5.9.1 (2581)|Win32 |Zoom| |ZoomText Fusion |2022.2109.10|Win32 |Freedom Scientific| diff --git a/images/compare-changes.png b/images/compare-changes.png index 0d86db70f5..183953dc8a 100644 Binary files a/images/compare-changes.png and b/images/compare-changes.png differ diff --git a/images/contribute-link.png b/images/contribute-link.png index 4cf685e54e..742a6f53ef 100644 Binary files a/images/contribute-link.png and b/images/contribute-link.png differ diff --git a/images/pencil-icon.png b/images/pencil-icon.png index 82fe7852dd..f041c32229 100644 Binary files a/images/pencil-icon.png and b/images/pencil-icon.png differ diff --git a/images/preview-changes.png b/images/preview-changes.png index cb4ecab594..54761f44d2 100644 Binary files a/images/preview-changes.png and b/images/preview-changes.png differ diff --git a/images/propose-changes.png b/images/propose-changes.png new file mode 100644 index 0000000000..5c16f931fc Binary files /dev/null and b/images/propose-changes.png differ diff --git a/images/propose-file-change.png b/images/propose-file-change.png deleted file mode 100644 index aedbc07b16..0000000000 Binary files a/images/propose-file-change.png and /dev/null differ diff --git a/smb/breadcrumb/toc.yml b/smb/breadcrumb/toc.yml index 3fc3bfeaee..317dcb4c3b 100644 --- a/smb/breadcrumb/toc.yml +++ b/smb/breadcrumb/toc.yml @@ -1,10 +1,11 @@ +items: - name: Docs tocHref: / topicHref: / items: - name: Windows tocHref: /windows - topicHref: https://docs.microsoft.com/windows/#pivot=it-pro + topicHref: /windows/resources/ items: - name: SMB tocHref: /windows/smb diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md index 7da2e85c29..729c76f598 100644 --- a/smb/cloud-mode-business-setup.md +++ b/smb/cloud-mode-business-setup.md @@ -574,7 +574,7 @@ See [Add users to Office 365](/microsoft-365/admin/add-users/add-users) to learn To learn more about the services and tools mentioned in this walkthrough, and learn what other tasks you can do, follow these links: - [Set up Office 365 for business](/microsoft-365/admin/setup) - Common admin tasks in Office 365 including email and OneDrive in [Manage Office 365](/microsoft-365/admin/) -- More info about managing devices, apps, data, troubleshooting, and more in the [/mem/intune/](/mem/intune/) +- More info about managing devices, apps, data, troubleshooting, and more in the [Intune documentation](/mem/intune/) - Learn more about Windows client in the [Windows client documentation for IT Pros](/windows/resources/). - Info about distributing apps to your employees, managing apps, managing settings, and more in [Microsoft Store for Business](/microsoft-store/) diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 5ec635a24d..c6c6e4564c 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -50,10 +50,11 @@ You can create collections of apps within your private store. Collections allow You can add a collection to your private store from the private store, or from the details page for an app. **From private store** + 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click your private store.
- ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png) + ![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png) 3. Click **Add a Collection**.
![Image showing Add a Collection.](images/msfb-add-collection.png) @@ -65,6 +66,7 @@ You can add a collection to your private store from the private store, or from t > New collections require at least one app, or they will not be created. **From app details page** + 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Products & services**. 3. Under **Apps & software**, choose an app you want to include in a new collection. @@ -84,12 +86,13 @@ If you've already added a Collection to your private store, you can easily add a 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click your private store.
- ![Image showing private store name on MSfB store UI.](images/msfb-click-private-store.png) + ![Image showing private store name on Microsoft Store for Business store UI.](images/msfb-click-private-store.png) 3. Click the ellipses next to the collection name, and click **Edit collection**. 4. Add or remove products from the collection, and then click **Done**. You can also add an app to a collection from the app details page. + 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Products & services**. 3. Under **Apps & software**, choose an app you want to include in a new collection. diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 42eda0b990..9478fd004c 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -45,7 +45,7 @@ You'll need to set up: - LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store. The process and timing look like this: -![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png) +![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for Microsoft Store for Business admin, LOB publisher, and Developer.](images/lob-workflow.png) ## Add an LOB publisher (Admin) Admins need to invite developer or ISVs to become an LOB publisher. diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index 98fff77da2..122ffdd4f1 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -31,7 +31,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 1. Download the FOD .cab file: - [Windows 11, version 21H2](https://software-download.microsoft.com/download/sg/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd_64~~.cab) - - [Windows 10, version 2004](https://software-download.microsoft.com/download/pr/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) + - [Windows 10, version 2004](https://software-static.download.prss.microsoft.com/pr/download/6cf73b63/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) - [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab) - [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab) - [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md index dd92af8c4f..817cffb7c0 100644 --- a/windows/client-management/advanced-troubleshooting-boot-problems.md +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -2,11 +2,11 @@ title: Advanced troubleshooting for Windows boot problems description: Learn to troubleshoot when Windows can't boot. This article includes advanced troubleshooting techniques intended for use by support agents and IT professionals. ms.prod: w10 -ms.sitesec: library -author: aczechowski +ms.technology: windows ms.localizationpriority: medium +ms.date: 06/02/2022 +author: aczechowski ms.author: aaroncz -ms.date: 11/16/2018 ms.reviewer: manager: dougeby ms.topic: troubleshooting @@ -15,16 +15,15 @@ ms.collection: highpri # Advanced troubleshooting for Windows boot problems -

Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues +

Try our Virtual Agent - It can help you quickly identify and fix common Windows boot issues. > [!NOTE] -> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415). +> This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/windows/recovery-options-in-windows-31ce2444-7de3-818c-d626-e3b5a3024da5). ## Summary There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: - | Phase | Boot Process | BIOS | UEFI | |-----------|----------------------|------------------------------------|-----------------------------------| | 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | @@ -32,31 +31,21 @@ There are several reasons why a Windows-based computer may have problems during | 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | | 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | -**1. PreBoot** +1. **PreBoot**: The PC's firmware initiates a power-on self test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager. -The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot Manager. +2. **Windows Boot Manager**: Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. -**2. Windows Boot Manager** +3. **Windows operating system loader**: Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. -Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. +4. **Windows NT OS Kernel**: The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. -**3. Windows operating system loader** - -Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. - -**4. Windows NT OS Kernel** - -The kernel loads into memory the system registry hive and other drivers that are marked as BOOT_START. - -The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. - -Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. - -![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)
-[Click to enlarge](img-boot-sequence.md)
+ The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that aren't marked BOOT_START. + +Here's a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before you start troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. Select the thumbnail to view it larger. +:::image type="content" source="images/boot-sequence-thumb.png" alt-text="Diagram of the boot sequence flowchart." lightbox="images/boot-sequence.png"::: Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases. @@ -69,7 +58,6 @@ Each phase has a different approach to troubleshooting. This article provides tr > > `Bcdedit /set {default} bootmenupolicy legacy` - ## BIOS phase To determine whether the system has passed the BIOS phase, follow these steps: @@ -86,26 +74,25 @@ To determine whether the system has passed the BIOS phase, follow these steps: If the screen is black except for a blinking cursor, or if you receive one of the following error codes, this status indicates that the boot process is stuck in the Boot Loader phase: -- Boot Configuration Data (BCD) missing or corrupted -- Boot file or MBR corrupted -- Operating system Missing -- Boot sector missing or corrupted -- Bootmgr missing or corrupted -- Unable to boot due to system hive missing or corrupted - -To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods. +- Boot Configuration Data (BCD) missing or corrupted +- Boot file or MBR corrupted +- Operating system Missing +- Boot sector missing or corrupted +- Bootmgr missing or corrupted +- Unable to boot due to system hive missing or corrupted +To troubleshoot this problem, use Windows installation media to start the computer, press **Shift** + **F10** for a command prompt, and then use any of the following methods. ### Method 1: Startup Repair tool The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. -To do this task of invoking the Startup Repair tool, follow these steps. +To do this task of invoking the Startup Repair tool, follow these steps. > [!NOTE] -> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). +> For additional methods to start WinRE, see [Windows Recovery Environment (Windows RE)](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#entry-points-into-winre). -1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). +1. Start the system to the installation media for the installed version of Windows. For more information, see [Create installation media for Windows](https://support.microsoft.com/windows/create-installation-media-for-windows-99a58364-8c02-206f-aa6f-40c3b507420d). 2. On the **Install Windows** screen, select **Next** > **Repair your computer**. @@ -117,28 +104,26 @@ To do this task of invoking the Startup Repair tool, follow these steps. The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: -**%windir%\System32\LogFiles\Srt\Srttrail.txt** - - -For more information, see [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) +`%windir%\System32\LogFiles\Srt\Srttrail.txt` +For more information, see [Troubleshoot blue screen errors](https://support.microsoft.com/sbs/windows/troubleshoot-blue-screen-errors-5c62726c-6489-52da-a372-3f73142c14ad). ### Method 2: Repair Boot Codes To repair boot codes, run the following command: -```console +```command BOOTREC /FIXMBR ``` To repair the boot sector, run the following command: -```console +```command BOOTREC /FIXBOOT ``` > [!NOTE] -> Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem. +> Running `BOOTREC` together with `Fixmbr` overwrites only the master boot code. If the corruption in the MBR affects the partition table, running `Fixmbr` may not fix the problem. ### Method 3: Fix BCD errors @@ -146,15 +131,15 @@ If you receive BCD-related errors, follow these steps: 1. Scan for all the systems that are installed. To do this step, run the following command: - ```console + ```command Bootrec /ScanOS ``` 2. Restart the computer to check whether the problem is fixed. 3. If the problem isn't fixed, run the following commands: - - ```console + + ```command bcdedit /export c:\bcdbackup attrib c:\boot\bcd -r -s -h @@ -172,128 +157,116 @@ If methods 1, 2 and 3 don't fix the problem, replace the Bootmgr file from drive 1. At a command prompt, change the directory to the System Reserved partition. -2. Run the **attrib** command to unhide the file: +2. Run the `attrib` command to unhide the file: - ```console + ```command attrib -r -s -h ``` 3. Navigate to the system drive and run the same command: - ```console + ```command attrib -r -s -h ``` -4. Rename the Bootmgr file as Bootmgr.old: +4. Rename the `bootmgr` file as `bootmgr.old`: - ```console + ```command ren c:\bootmgr bootmgr.old ``` 5. Navigate to the system drive. -6. Copy the Bootmgr file, and then paste it to the System Reserved partition. +6. Copy the `bootmgr` file, and then paste it to the System Reserved partition. 7. Restart the computer. -### Method 5: Restore System Hive +### Method 5: Restore system hive -If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step,, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. +If Windows can't load the system registry hive into memory, you must restore the system hive. To do this step, use the Windows Recovery Environment or use the Emergency Repair Disk (ERD) to copy the files from the `C:\Windows\System32\config\RegBack` directory to `C:\Windows\System32\config`. If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder) +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). ## Kernel Phase If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These error messages include, but aren't limited to, the following examples: -- A Stop error appears after the splash screen (Windows Logo screen). +- A Stop error appears after the splash screen (Windows Logo screen). -- Specific error code is displayed. +- Specific error code is displayed. For example, `0x00000C2` , `0x0000007B` , or `inaccessible boot device`. + - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) + - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) - For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. - - [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) - - [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) +- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. -- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. - -- A black screen appears after the splash screen. +- A black screen appears after the splash screen. To troubleshoot these problems, try the following recovery boot options one at a time. -**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration** +### Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps: -1. Use one of the following methods to open Event Viewer: +1. Use one of the following methods to open Event Viewer: - - Click **Start**, point to **Administrative Tools**, and then click - **Event Viewer**. + - Go to the **Start** menu, select **Administrative Tools**, and then select **Event Viewer**. - - Start the Event Viewer snap-in in Microsoft Management Console (MMC). + - Start the Event Viewer snap-in in Microsoft Management Console (MMC). -2. In the console tree, expand Event Viewer, and then click the log that you - want to view. For example, click **System log** or **Application log**. +2. In the console tree, expand Event Viewer, and then select the log that you want to view. For example, choose **System log** or **Application log**. -3. In the details pane, double-click the event that you want to view. +3. In the details pane, open the event that you want to view. -4. On the **Edit** menu, click **Copy**, open a new document in the program in - which you want to paste the event (for example, Microsoft Word), and then - click **Paste**. - -5. Use the Up Arrow or Down Arrow key to view the description of the previous - or next event. +4. On the **Edit** menu, select **Copy**. Open a new document in the program in which you want to paste the event. For example, Microsoft Word. Then select **Paste**. +5. Use the up arrow or down arrow key to view the description of the previous or next event. ### Clean boot -To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). +To troubleshoot problems that affect services, do a clean boot by using System Configuration (`msconfig`). Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you can't find the cause, try including system services. However, in most cases, the problematic service is third-party. Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. -For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). +For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/topic/how-to-perform-a-clean-boot-in-windows-da2f9573-6eec-00ad-2f8a-a97a1807f3dd). If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: -[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64) +[Troubleshooting boot problem caused by missing driver signature (x64)](/archive/blogs/askcore/troubleshooting-boot-issues-due-to-missing-driver-signature-x64) > [!NOTE] > If the computer is a domain controller, try Directory Services Restore mode (DSRM). > > This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2" - -**Examples** +#### Examples > [!WARNING] -> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these -problems can be solved. Modify the registry at your own risk. +> Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft can't guarantee that these problems can be solved. Modify the registry at your own risk. *Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)* To troubleshoot this Stop error, follow these steps to filter the drivers: -1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. +1. Go to Windows Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of the same version of Windows or a later version. -2. Open the registry. +2. Open the registry. -3. Load the system hive, and name it as "test." +3. Load the system hive, and name it **test**. -4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers: - - **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class** - -5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data. +4. Under the following registry subkey, check for lower filter and upper filter items for non-Microsoft drivers: -6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive. + `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class` -7. Restart the server in Normal mode. +5. For each third-party driver that you locate, select the upper or lower filter, and then delete the value data. -For more troubleshooting steps, see the following articles: +6. Search through the whole registry for similar items. Process as appropriate, and then unload the registry hive. -- [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md) +7. Restart the server in Normal mode. + +For more troubleshooting steps, see [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](./troubleshoot-inaccessible-boot-device.md). To fix problems that occur after you install Windows updates, check for pending updates by using these steps: @@ -301,16 +274,15 @@ To fix problems that occur after you install Windows updates, check for pending 2. Run the command: - ```console + ```command DISM /image:C:\ /get-packages ``` 3. If there are any pending updates, uninstall them by running the following commands: - ```console + ```command DISM /image:C:\ /remove-package /packagename: name of the package - ``` - ```console + DISM /Image:C:\ /Cleanup-Image /RevertPendingActions ``` @@ -318,72 +290,67 @@ To fix problems that occur after you install Windows updates, check for pending If the computer doesn't start, follow these steps: -1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. +1. Open a command prompt window in WinRE, and start a text editor, such as Notepad. -2. Navigate to the system drive, and search for windows\winsxs\pending.xml. +2. Navigate to the system drive, and search for `windows\winsxs\pending.xml`. -3. If the Pending.xml file is found, rename the file as Pending.xml.old. +3. If the pending.xml file is found, rename the file as `pending.xml.old`. -4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test. +4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as test. -5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value. +5. Highlight the loaded test hive, and then search for the `pendingxmlidentifier` value. -6. If the **pendingxmlidentifier** value exists, delete the value. +6. If the `pendingxmlidentifier` value exists, delete it. -7. Unload the test hive. +7. Unload the test hive. -8. Load the system hive, name it as "test". +8. Load the system hive, name it **test**. -9. Navigate to the following subkey: - - **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller** - -10. Change the **Start** value from **1** to **4** +9. Navigate to the following subkey: + + `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TrustedInstaller` + +10. Change the **Start** value from `1` to `4`. 11. Unload the hive. 12. Try to start the computer. -If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following articles: +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For more information, see [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md). -- [Generate a kernel or complete crash dump](./generate-kernel-or-complete-crash-dump.md) +For more information about page file problems in Windows 10 or Windows Server 2016, see [Introduction to page files](./introduction-page-file.md). -For more information about page file problems in Windows 10 or Windows Server 2016, see the following article: -- [Introduction to page files](./introduction-page-file.md) +For more information about Stop errors, see [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md). -For more information about Stop errors, see the following Knowledge Base article: -- [Advanced troubleshooting for Stop error or blue screen error issue](./troubleshoot-stop-errors.md) +Sometimes the dump file shows an error that's related to a driver. For example, `windows\system32\drivers\stcvsm.sys` is missing or corrupted. In this instance, follow these guidelines: - -If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: - -- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. +- Check the functionality that's provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. - If the driver isn't important and has no dependencies, load the system hive, and then disable the driver. - If the stop error indicates system file corruption, run the system file checker in offline mode. - - To do this, open WinRE, open a command prompt, and then run the following command: + - To do this action, open WinRE, open a command prompt, and then run the following command: - ```console - SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows - ``` + ```command + SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows + ``` - For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) + For more information, see [Using system file checker (SFC) to fix issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues). - - If there's disk corruption, run the check disk command: + - If there's disk corruption, run the check disk command: - ```console - chkdsk /f /r - ``` + ```command + chkdsk /f /r + ``` - - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: +- If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: - 1. Start WinRE, and open a Command Prompt window. - 2. Start a text editor, such as Notepad. - 3. Navigate to C:\Windows\System32\Config\. - 4. Rename the all five hives by appending ".old" to the name. - 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. + 1. Start WinRE, and open a command prompt window. + 2. Start a text editor, such as Notepad. + 3. Navigate to `C:\Windows\System32\Config\`. + 4. Rename the all five hives by appending `.old` to the name. + 5. Copy all the hives from the `Regback` folder, paste them in the `Config` folder, and then try to start the computer in Normal mode. > [!NOTE] -> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more details, check [this article](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). +> Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder.This change is by design, and is intended to help reduce the overall disk footprint size of Windows. To recover a system with a corrupt registry hive, Microsoft recommends that you use a system restore point. For more information, see [The system registry is no longer backed up to the RegBack folder starting in Windows 10 version 1803](/troubleshoot/windows-client/deployment/system-registry-no-backed-up-regback-folder). diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md deleted file mode 100644 index 6ce343dade..0000000000 --- a/windows/client-management/img-boot-sequence.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -title: Boot sequence flowchart -description: View a full-sized view of the boot sequence flowchart. Use the link to return to the Advanced troubleshooting for Windows boot problems article. -ms.date: 11/16/2018 -ms.reviewer: -manager: dansimp -ms.author: dansimp -author: dansimp -ms.topic: article -ms.prod: w10 ---- - -# Boot sequence flowchart - -Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
- -![Full-sized boot sequence flowchart.](images/boot-sequence.png) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index cc38c493dd..0f27f3d1d1 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,140 +1,136 @@ --- title: Manage Windows 10 in your organization - transitioning to modern management -description: This topic offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. -keywords: ["MDM", "device management", "group policy", "Azure Active Directory"] +description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices -author: dansimp ms.localizationpriority: medium -ms.date: 04/26/2018 +ms.date: 06/03/2022 +author: aczechowski +ms.author: aaroncz ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article +manager: dougeby +ms.topic: overview --- # Manage Windows 10 in your organization - transitioning to modern management Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to Windows 7 until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it’s easy for versions to coexist. +Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. While this downgrade may appear to save costs due to standardization, greater savings can come from avoiding the downgrade and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This “managed diversity” enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Endpoint Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. > [!VIDEO https://www.youtube.com/embed/g1rIcBhhxpA] - >[!NOTE] - >The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) +> [!NOTE] +> The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) -This topic offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. The topic covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: +This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: -- [Deployment and Provisioning](#deployment-and-provisioning) +- [Deployment and Provisioning](#deployment-and-provisioning) -- [Identity and Authentication](#identity-and-authentication) +- [Identity and Authentication](#identity-and-authentication) -- [Configuration](#settings-and-configuration) +- [Configuration](#settings-and-configuration) -- [Updating and Servicing](#updating-and-servicing) +- [Updating and Servicing](#updating-and-servicing) ## Reviewing the management options with Windows 10 Windows 10 offers a range of management options, as shown in the following diagram: -The path to modern IT +:::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like Group Policy, Active Directory, and Microsoft Configuration Manager. It also delivers a “mobile-first, cloud-first” approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. -## Deployment and Provisioning +## Deployment and provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully configured, fully managed devices, you can: +With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can: +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). -- Create self-contained provisioning packages built with the [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-packages). +- Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction). -- Use traditional imaging techniques such as deploying custom images using [Microsoft Endpoint Configuration Manager](/configmgr/core/understand/introduction). +You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 7 or Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive – everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today with Windows 7. +## Identity and authentication -## Identity and Authentication - -You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **“bring your own device” (BYOD)** or to **“choose your own device” (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD Join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. -- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that’s [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - - Single sign-on to cloud and on-premises resources from everywhere +- **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-overview) + With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device + - Single sign-on to cloud and on-premises resources from everywhere - - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) - - Windows Hello + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/configmgr/core/understand/introduction) client or Group Policy. + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + + - Windows Hello + + Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. -![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png) +:::image type="content" source="images/windows-10-management-cyod-byod-flow.png" alt-text="Diagram of decision tree for device authentication options." lightbox="images/windows-10-management-cyod-byod-flow.png"::: -## Settings and Configuration +## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer.  +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. -**MDM**: [MDM](https://www.microsoft.com/cloud-platform/mobile-device-management) gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, Group Policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using GP that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. +**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. -**Group Policy** and **Microsoft Endpoint Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer’s 1,500 configurable Group Policy settings. If so, Group Policy and Configuration Manager continue to be excellent management choices: +**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: -- Group Policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add Group Policy settings with each new version of Windows. +- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. -- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. +- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. +## Updating and servicing -## Updating and Servicing +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple – often automatic – patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). - -MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. +MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. ## Next steps There are various steps you can take to begin the process of modernizing device management in your organization: -**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, re-evaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use the [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to help determine which Group Policies are set for a target user/computer and cross-reference them against the list of available MDM policies. +**Assess current management practices, and look for investments you might make today.** Which of your current practices need to stay the same, and which can you change? Specifically, what elements of traditional management do you need to retain and where can you modernize? Whether you take steps to minimize custom imaging, reevaluate settings management, or reassesses authentication and compliance, the benefits can be immediate. You can use [Group policy analytics in Microsoft Endpoint Manager](/mem/intune/configuration/group-policy-analytics) to help determine which group policies supported by cloud-based MDM providers, including Microsoft Intune. **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here's the list of MDM policies with equivalent GP - [Policies supported by GP](./mdm/policy-configuration-service-provider.md) +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#controlpolicyconflict-mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Configuration Manager 1710 onward, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: +- [Co-management for Windows devices](/mem/configmgr/comanage/overview) +- [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) +- [Switch Configuration Manager workloads to Intune](/mem/configmgr/comanage/how-to-switch-workloads) +- [Co-management dashboard in Configuration Manager](/mem/configmgr/comanage/how-to-monitor) -- [Co-management for Windows 10 devices](/configmgr/core/clients/manage/co-management-overview) -- [Prepare Windows 10 devices for co-management](/configmgr/core/clients/manage/co-management-prepare) -- [Switch Configuration Manager workloads to Intune](/configmgr/core/clients/manage/co-management-switch-workloads) -- [Co-management dashboard in Configuration Manager](/configmgr/core/clients/manage/co-management-dashboard) +## Related articles -## Related topics - -- [What is Intune?](/mem/intune/fundamentals/what-is-intune) -- [Windows 10 Policy CSP](./mdm/policy-configuration-service-provider.md) -- [Windows 10 Configuration service Providers](./mdm/configuration-service-provider-reference.md) +- [What is Intune?](/mem/intune/fundamentals/what-is-intune) +- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md) +- [Windows 10 configuration service providers](./mdm/configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 25a95f6c0b..6e1bc0d9c6 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|No|Yes| |Education|No|Yes| diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 94eba45c92..95689e3b8f 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index 3cc8bc3399..7215d94d6e 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index f09f6f0d3d..700e422e49 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 3beb09b98d..02eb0f514c 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index c70d901cd1..3785ca1b3c 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 5f61ca771d..cf61a9f2c1 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b4564bd96c..8370601e1d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -76,6 +76,7 @@ Allows the administrator to require encryption that needs to be turned on by usi |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -136,6 +137,7 @@ Allows you to set the default encryption method for each of the different drive |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,6 +211,7 @@ Allows you to associate unique organizational identifiers to a new drive that is |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -266,6 +269,7 @@ Allows users on devices that are compliant with InstantGo or the Microsoft Hardw |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -305,6 +309,7 @@ Allows users to configure whether or not enhanced startup PINs are used with Bit |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -347,6 +352,7 @@ Allows you to configure whether standard users are allowed to change BitLocker P |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -389,6 +395,7 @@ Allows users to enable authentication options that require user input from the p |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -438,6 +445,7 @@ Allows you to configure the encryption type that is used by BitLocker. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -485,6 +493,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Require addition |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -582,6 +591,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure minimu |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -648,6 +658,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Configure pre-bo |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -724,6 +735,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -812,6 +824,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLo |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -903,6 +916,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -960,6 +974,7 @@ Allows you to configure the encryption type on fixed data drives that is used by |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1007,6 +1022,7 @@ This setting is a direct mapping to the BitLocker Group Policy "Deny write acces |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1073,6 +1089,7 @@ Allows you to configure the encryption type that is used by BitLocker. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1114,6 +1131,7 @@ Allows you to control the use of BitLocker on removable data drives. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1170,6 +1188,7 @@ Allows the admin to disable the warning prompt for other disk encryption on the |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1224,6 +1243,7 @@ If "AllowWarningForOtherDiskEncryption" isn't set, or is set to "1", "RequireDev |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1268,6 +1288,7 @@ This setting initiates a client-driven recovery password refresh after an OS dri |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1315,6 +1336,7 @@ Each server-side recovery key rotation is represented by a request ID. The serve |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1353,6 +1375,7 @@ This node reports compliance state of device encryption on the system. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1413,6 +1436,7 @@ Status code can be one of the following values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1439,6 +1463,7 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index 668e91047f..7ac0af3d3d 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index 010ec8b52d..32b017f492 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index ef943cbe35..5eb147ea0c 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -1,13 +1,13 @@ --- title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. +author: aczechowski +ms.author: aaroncz ms.reviewer: -manager: dansimp -ms.author: dansimp +manager: dougeby ms.topic: article ms.prod: w10 ms.technology: windows -author: dansimp ms.localizationpriority: medium ms.date: 10/19/2020 --- @@ -174,7 +174,6 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| -|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| |[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| ## August 2018 @@ -227,7 +226,6 @@ This article lists new and updated articles for the Mobile Device Management (MD |[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)|Added the following node in Windows 10, version 1803:

  • Settings/AllowVirtualGPU
  • Settings/SaveFilesToHost| |[NetworkProxy CSP](networkproxy-csp.md)|Added the following node in Windows 10, version 1803:
  • ProxySettingsPerUser| |[Accounts CSP](accounts-csp.md)|Added a new CSP in Windows 10, version 1803.| -|[MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat)|Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.| |[CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)|Added the DDF download of Windows 10, version 1803 configuration service providers.| |[Policy CSP](policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1803:
  • Bluetooth/AllowPromptedProximalConnections
  • KioskBrowser/EnableEndSessionButton
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers| diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 454f964acd..3c615c5b08 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 028cae12a8..b667bfa46b 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |---|---|---| |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 2e54d92c4c..c5b7aebc24 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index d1ce18151d..3e405b2e16 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index e8f9de1f33..64aad26081 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -14,6 +14,17 @@ ms.date: 06/26/2017 # CMPolicyEnterprise CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|No| +|Business|No|No| +|Enterprise|No|No| +|Education|No|No| + The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] @@ -21,9 +32,12 @@ The CMPolicyEnterprise configuration service provider is used by the enterprise Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies +Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies + + **Policy Ordering**: There's no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. -**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. +**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. @@ -72,7 +86,8 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* -Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". + +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. @@ -90,7 +105,6 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th |Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}| |Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}| - For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: @@ -133,7 +147,6 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples - Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -227,7 +240,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C ## OMA DM examples - Adding an application-based mapping policy: ```xml @@ -364,7 +376,6 @@ Adding a host-based mapping policy: ## Microsoft Custom Elements - |Element|Available| |--- |--- | |parm-query|Yes| @@ -373,7 +384,6 @@ Adding a host-based mapping policy: ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index 26a30c88a6..a2167e456e 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -1,93 +1,90 @@ --- -title: Secured-Core Configuration Lock -description: A Secured-Core PC (SCPC) feature that prevents configuration drift from Secured-Core PC features (shown below) caused by unintentional misconfiguration. +title: Secured-core configuration lock +description: A secured-core PC (SCPC) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. manager: dansimp -keywords: mdm,management,administrator,config lock ms.author: v-lsaldanha ms.topic: article ms.prod: w11 ms.technology: windows author: lovina-saldanha -ms.date: 03/14/2022 +ms.date: 05/24/2022 --- -# Secured-Core PC Configuration Lock +# Secured-core PC configuration lock **Applies to** -- Windows 11 +- Windows 11 -In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with Config Lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. +In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. -Secured-Core Configuration Lock (Config Lock) is a new [Secured-Core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from Secured-Core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a Secured-Core PC remains a Secured-Core PC. +Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. -To summarize, Config Lock: +To summarize, config lock: -- Enables IT to “lock” Secured-Core PC features when managed through MDM +- Enables IT to "lock" secured-core PC features when managed through MDM - Detects drift remediates within seconds -- DOES NOT prevent malicious attacks +- Doesn't prevent malicious attacks ## Configuration Flow -After a Secured-Core PC reaches the desktop, Config Lock will prevent configuration drift by detecting if the device is a Secured-Core PC or not. When the device isn't a Secured-Core PC, the lock won't apply. If the device is a Secured-Core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). +After a secured-core PC reaches the desktop, config lock will prevent configuration drift by detecting if the device is a secured-core PC or not. When the device isn't a secured-core PC, the lock won't apply. If the device is a secured-core PC, config lock will lock the policies listed under [List of locked policies](#list-of-locked-policies). ## System Requirements -Config Lock will be available for all Windows Professional and Enterprise Editions running on [Secured-Core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). +Config lock will be available for all Windows Professional and Enterprise Editions running on [secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure). -## Enabling Config Lock using Microsoft Intune +## Enabling config lock using Microsoft Intune -Config Lock isn't enabled by default (or turned on by the OS during boot). Rather, an IT Admin must intentionally turn it on. - -The steps to turn on Config Lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: +Config lock isn't enabled by default, or turned on by the OS during boot. Rather, you need to turn it on. -1. Ensure that the device to turn on Config Lock is enrolled in Microsoft Intune. +The steps to turn on config lock using Microsoft Endpoint Manager (Microsoft Intune) are as follows: + +1. Ensure that the device to turn on config lock is enrolled in Microsoft Intune. 1. From the Microsoft Intune portal main page, select **Devices** > **Configuration Profiles** > **Create a profile**. 1. Select the following and press **Create**: - **Platform**: Windows 10 and later - **Profile type**: Templates - **Template name**: Custom - :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates"::: + :::image type="content" source="images/configlock-mem-createprofile.png" alt-text="In Configuration profiles, the Create a profile page is showing, with the Platform set to Windows 10 and later, and a Profile Type of Templates."::: 1. Name your profile. -1. When you reach the Configuration Settings step, select “Add” and add the following information: +1. When you reach the Configuration Settings step, select "Add" and add the following information: - **OMA-URI**: ./Vendor/MSFT/DMClient/Provider/MS%20DM%20Server/ConfigLock/Lock - **Data type**: Integer - **Value**: 1
    - To turn off Config Lock, change the value to 0. + To turn off config lock, change the value to 0. - :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of Config Lock, a Description of Turn on Config Lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1"::: + :::image type="content" source="images/configlock-mem-editrow.png" alt-text="In the Configuration settings step, the Edit Row page is shown with a Name of config lock, a Description of Turn on config lock and the OMA-URI set as above, along with a Data type of Integer set to a Value of 1."::: -1. Select the devices to turn on Config Lock. If you're using a test tenant, you can select “+ Add all devices”. +1. Select the devices to turn on config lock. If you're using a test tenant, you can select "+ Add all devices". 1. You'll not need to set any applicability rules for test purposes. -1. Review the Configuration and select “Create” if everything is correct. -1. After the device syncs with the Microsoft Intune server, you can confirm if the Config Lock was successfully enabled. +1. Review the Configuration and select "Create" if everything is correct. +1. After the device syncs with the Microsoft Intune server, you can confirm if the config lock was successfully enabled. - :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the Config Lock device configuration profile, showing one device has succeeded in having this profile applied"::: + :::image type="content" source="images/configlock-mem-dev.png" alt-text="The Profile assignment status dashboard when viewing the config lock device configuration profile, showing one device has succeeded in having this profile applied."::: - :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the Config Lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending"::: + :::image type="content" source="images/configlock-mem-devstatus.png" alt-text="The Device Status for the config lock Device Configuration Profile, showing one device with a Deployment Status as Succeeded and two with Pending."::: -## Configuring Secured-Core PC features +## Configuring secured-core PC features -Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally misconfigured. IT Admins retain the ability to change (enable/disable) SCPC features (for example Firmware protection) via Group Policies and/or mobile device management (MDM) tools, such as Microsoft Intune. +Config lock is designed to ensure that a secured-core PC isn't unintentionally misconfigured. You keep the ability to enable or disable SCPC features, for example, firmware protection. You can make these changes with group policies or MDM services like Microsoft Intune. + +:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off."::: -:::image type="content" source="images/configlock-mem-firmwareprotect.png" alt-text="The Defender Firmware protection setting, with a description of Windows Defender System Guard protects your device from compromised firmware. The setting is set to Off"::: - ## FAQ -**Can an IT admins disable Config Lock ?**
    - Yes. IT admins can use MDM to turn off Config Lock.
    +- Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. ### List of locked policies |**CSPs** | |-----| -|[BitLocker ](bitlocker-csp.md) | +|[BitLocker](bitlocker-csp.md) | |[PassportForWork](passportforwork-csp.md) | |[WindowsDefenderApplicationGuard](windowsdefenderapplicationguard-csp.md) | -|[ApplicationControl](applicationcontrol-csp.md) - +|[ApplicationControl](applicationcontrol-csp.md) |**MDM policies** | **Supported by Group Policy** | |-----|-----| diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index fb7537220e..d12b45b482 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -616,18 +616,6 @@ Additional lists: - -[Proxy CSP](proxy-csp.md) - - - -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|Yes|Yes|Yes|Yes|Yes| - - - - [PXLogical CSP](pxlogical-csp.md) @@ -676,18 +664,6 @@ Additional lists: - -[PolicyManager CSP](policymanager-csp.md) - - - -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|No|No|No|No|No| - - - - [Provisioning CSP](provisioning-csp.md) @@ -821,6 +797,15 @@ Additional lists: + +[SurfaceHub](surfacehub-csp.md) + + + + + + + [TenantLockdown CSP](tenantlockdown-csp.md) @@ -905,6 +890,16 @@ Additional lists: + +[W4 Application CSP](w4-application-csp.md) + + + + + + + + [WiFi CSP](wifi-csp.md) @@ -989,6 +984,15 @@ Additional lists: + + +[w7 Application CSP](w7-application-csp.md) + + + + + +
    diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 1a0f77c9ed..ba7ddde489 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -42,7 +42,6 @@ Package Full Name of the application that needs to be launched in the background ## SyncML examples - **Set StartupAppID** ```xml diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 22ee682cf2..df63bb462e 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -15,6 +15,15 @@ ms.date: 02/22/2022 # Defender CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + > [!WARNING] > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. @@ -355,7 +364,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi **EnableNetworkProtection/DisableHttpParsing** -Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -365,7 +374,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to **EnableNetworkProtection/DisableRdpParsing** -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". +Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -375,7 +384,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn **EnableNetworkProtection/DisableSshParsing** -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". +Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -385,7 +394,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k **EnableNetworkProtection/DisableTlsParsing** -Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -594,11 +603,13 @@ An interior node to group Windows Defender configuration information. Supported operation is Get. **Configuration/TamperProtection** + Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. + Send off blob to device to reset the tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. -The data type is a Signed blob. +The data type is a Signed BLOB. Supported operations are Add, Delete, Get, Replace. @@ -610,7 +621,7 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. **Configuration/DisableLocalAdminMerge**
    -This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. +This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusion list. If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, management settings will override preference settings. @@ -630,6 +641,7 @@ Valid values are: - 0 (default) – Disable. **Configuration/HideExclusionsFromLocalAdmins**
    + This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. @@ -639,22 +651,23 @@ If you enable this setting, Local Admins will no longer be able to see the exclu > [!NOTE] > Applying this setting won't remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. -Supported OS versions: Windows 10 +Supported OS versions: Windows 10 The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. - 0 (default) – Disable. **Configuration/DisableCpuThrottleOnIdleScans**
    + Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 (default) – Enable. @@ -665,7 +678,7 @@ Allow managed devices to update through metered connections. Data charges may ap The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -676,7 +689,7 @@ This settings controls whether Network Protection is allowed to be configured in The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -687,7 +700,7 @@ Allows an administrator to explicitly disable network packet inspection made by The data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. @@ -695,7 +708,7 @@ When this feature is enabled, Windows Defender will compute hashes for files it The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -706,7 +719,7 @@ The support log location setting allows the administrator to specify where the M Data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Intune Support log location setting UX supports three states: @@ -714,7 +727,7 @@ Intune Support log location setting UX supports three states: - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. - 0 - Disabled. Turns off the Support log location feature. -When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. More details: @@ -738,7 +751,7 @@ If you disable or don't configure this policy, the device will stay up to date a The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -771,7 +784,7 @@ If you disable or don't configure this policy, the device will stay up to date a The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -796,7 +809,7 @@ Current Channel (Broad): Devices will be offered updates only after the gradual If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid Values are: - 0: Not configured (Default) @@ -819,7 +832,7 @@ If you disable or don't configure this policy, the device will remain in Current The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enabled. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 7a1c219d01..b2a87f5a47 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -14,6 +14,16 @@ ms.date: 03/27/2020 # DevDetail CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically. > [!NOTE] diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 22f1b88991..c484b9a326 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -861,7 +861,7 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici |DeferFeatureUpdates|REG_DWORD|1: defer feature updates

    Other value or absent: don’t defer feature updates| |DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| |PauseFeatureUpdates|REG_DWORD|1: pause feature updates

    Other value or absent: don’t pause feature updates| -|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude WU drivers

    Other value or absent: offer WU drivers| +|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers

    Other value or absent: offer Windows Update drivers| Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md index a932bc0ed7..5a205b9d64 100644 --- a/windows/client-management/mdm/devicemanageability-csp.md +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 3f04f4495f..d70efed2a5 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md index e5dc49d8ee..e23eaed096 100644 --- a/windows/client-management/mdm/devinfo-csp.md +++ b/windows/client-management/mdm/devinfo-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 6476b2d5e2..6a733fed4d 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 50fd9dfd0d..aecd5bf113 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 80655c5989..187e71bdb1 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -50,6 +51,8 @@ DMClient ------------Unenroll ------------AADResourceID ------------AADDeviceID +------------AADSendDeviceToken +------------ForceAadToken ------------EnrollmentType ------------EnableOmaDmKeepAliveMessage ------------HWDevID @@ -72,6 +75,21 @@ DMClient ----------------NumberOfRemainingScheduledRetries ----------------PollOnLogin ----------------AllUsersPollOnFirstLogin +------------LinkedEnrollment +----------------Priority +----------------Enroll +----------------Unenroll +----------------EnrollStatus +----------------LastError +------------Recovery +----------------AllowRecovery +----------------RecoveryStatus +----------------InitiateRecovery +------------MultipleSession +----------------NumAllowedConcurrentUserSessionForBackgroundSync +----------------NumAllowedConcurrentUserSessionAtUserLogonSync +----------------IntervalForScheduledRetriesForUserSession +----------------NumberOfScheduledRetriesForUserSession ----Unenroll ----UpdateManagementServiceAddress ``` @@ -325,6 +343,11 @@ Supported operations are Add, Delete, Get, and Replace. Value type is bool. +**Provider/*ProviderID*/ForceAadToken** +The value type is integer/enum. + +The value is "1" and it means client should always send AAD device token during check-in/sync. + **Provider/*ProviderID*/Poll** Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. @@ -443,6 +466,117 @@ Optional. Boolean value that allows the IT admin to require the device to start Supported operations are Add, Get, and Replace. +**Provider/*ProviderID*/LinkedEnrollment/Priority** +This node is an integer, value is "0" or "1". + +Default is 1, meaning the MDM enrollment is the “winning” authority for conflicting policies/resources. Value 1 means MMP-C enrollment is the “winning” one. +Support operations are Get and Set. + +**Provider/*ProviderID*/LinkedEnrollment/Enroll** +This is an execution node and will trigger a silent MMP-C enrollment, using the AAD device token pulled from the AADJ’ed device. There is no user interaction needed. + +Support operation is Exec. + +**Provider/*ProviderID*/LinkedEnrollment/Unenroll** +This is an execution node and will trigger a silent MMP-C unenroll, there is no user interaction needed. On un-enrollment, all the settings/resources set by MMPC will be rolled back(rollback details will be covered later). + +Support operation is Exec. + +**Provider/*ProviderID*/LinkedEnrollment/EnrollStatus** + +This node can be used to check both enroll and unenroll statuses. +This will return the enroll action status and is defined as a enum class LinkedEnrollmentStatus. The values are aas follows: + +- Undefined = 0 +- EnrollmentNotStarted = 1 +- InProgress = 2 +- Failed = 3 +- Succeeded = 4 +- UnEnrollmentQueued = 5 +- UnEnrollmentSucceeded = 8 + +Support operation is Get only. + +**Provider/*ProviderID*/LinkedEnrollment/LastError** + +This specifies the Hresult to report the enrollment/unenroll results. + +**Provider/*ProviderID*/Recovery/AllowRecovery** + +This node determines whether or not the client will automatically initiate a MDM Recovery operation when it detects issues with the MDM certificate. + +Supported operations are Get, Add, Replace and Delete. + +The supported values for this node are 1-true (allow) and 0-false(not allow). Default value is 0. + +**Provider/*ProviderID*/Recovery/RecoveryStatus** + +This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows: + +0 - No Recovery request has been processed. +1 - Recovery is in Process. +2 - Recovery has finished successfully. +3 - Recovery has failed to start because TPM is not available. +4 - Recovery has failed to start because AAD keys are not protected by the TPM. +5 - Recovery has failed to start because the MDM keys are already protected by the TPM. +6 - Recovery has failed to start because the TPM is not ready for attestation. +7 - Recovery has failed because the client cannot authenticate to the server. +8 - Recovery has failed because the server has rejected the client's request. + +Supported operation is Get only. + +**Provider/*ProviderID*/Recovery/InitiateRecovery** + +This node initiates an MDM Recovery operation on the client. + +If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device. + +If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation. + +Supported operation is Exec only. + +**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync** + +Optional. This node specifies maximum number of concurrent user sync sessions in background. + +The default value is dynamically decided by the client based on CPU usage. + +The values are : 0= none, 1= sequential, anything else= parallel. + +Supported operations are Get, Add, Replace and Delete. + +Value type is integer. Only applicable for Windows Enterprise multi-session. + + +**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync** +Optional. This node specifies maximum number of concurrent user sync sessions at User Login. + +The default value is dynamically decided by the client based on CPU usage. + +The values are : 0= none, 1= sequential, anything else= parallel. + +Supported operations are Get, Add, Replace and Delete. + +Value type is integer. Only applicable for Windows Enterprise multi-session. + +**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession** +Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`. + +If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled. + +This configuration is only applicable for Windows Multi-session Editions. + +Supported operations are Get and Replace. + +**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession** +Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. + +If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times. + +The default value is 0. This configuration is only applicable for Windows Multi-session Editions. + +Supported operations are Get and Replace. + **Provider/*ProviderID*/ConfigLock** Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected. @@ -496,7 +630,7 @@ The status error mapping is listed below. |--- |--- | |0|Success| |1|Failure: invalid PFN| -|2|Failure: invalid or expired device authentication with MSA| +|2|Failure: invalid or expired device authentication with Microsoft account| |3|Failure: WNS client registration failed due to an invalid or revoked PFN| |4|Failure: no Channel URI assigned| |5|Failure: Channel URI has expired| diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 438ec54bdd..8a95673243 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index bb204af81d..ce38bf29cd 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 9f9d1ab88c..1565168c9c 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -14,12 +14,10 @@ ms.date: 06/26/2017 # EAP configuration - This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10. ## Create an EAP configuration XML for a VPN profile - To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box: 1. Run rasphone.exe. @@ -107,15 +105,13 @@ To get the EAP configuration from your desktop using the rasphone tool that is s ``` > [!NOTE] - > You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: - - C:\\Windows\\schemas\\EAPHost - - C:\\Windows\\schemas\\EAPMethods + > You should check with Mobile Device Management (MDM) vendor, if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: + > - C:\\Windows\\schemas\\EAPHost + > - C:\\Windows\\schemas\\EAPMethods -   ## EAP certificate filtering - In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate. Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: @@ -123,11 +119,11 @@ Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can - The user might be prompted to select the certificate. - The wrong certificate might be auto-selected and cause an authentication failure. -A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. +A production ready deployment must have appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and appropriate certificate can be used for the authentication. -EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: +EAP XML must be updated with relevant information for your environment. This task can be done manually by editing the following XML sample or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For Wi-Fi, look for the `` section of your current WLAN Profile XML. (This section is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags, you'll find the complete EAP configuration. Replace the section under `` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. - For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field. For information about EAP settings, see . @@ -142,9 +138,9 @@ The following list describes the prerequisites for a certificate to be used with - The certificate must have at least one of the following EKU properties: - - Client Authentication. As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2. - - Any Purpose. This property is an EKU-defined one and is published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - - All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes. + - Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2. + - Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes. - The user or the computer certificate on the client must chain to a trusted root CA. - The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. @@ -157,7 +153,6 @@ The following XML sample explains the properties for the EAP TLS XML, including > For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.   - ```xml @@ -261,7 +256,6 @@ The following XML sample explains the properties for the EAP TLS XML, including > The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.   - Alternatively, you can use the following procedure to create an EAP configuration XML: 1. Follow steps 1 through 7 in the EAP configuration article. @@ -290,8 +284,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio > [!NOTE] > You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)) article. -  -  +## Related topics -  +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index dab6f05a0e..d2ba3631d3 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index b7893f3be0..d345f06255 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -17,6 +17,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 1facdd010f..535d6ce24b 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 7a1cc8d6dd..b2a5361647 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index a83cfc02b3..2c237eb14f 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -20,18 +20,19 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). -> [!Note] -> To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). +> [!NOTE] +> To make Windows Information Protection functional, the AppLocker CSP and the network isolation-specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). -While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). +While Windows Information Protection has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). -To learn more about WIP, see the following articles: +To learn more about Windows Information Protection, see the following articles: - [Create a Windows Information Protection (WIP) policy](/windows/security/information-protection/windows-information-protection/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) @@ -62,8 +63,8 @@ The root node for the Windows Information Protection (WIP) configuration setting **Settings/EDPEnforcementLevel** Set the WIP enforcement level. -> [!Note] -> Setting this value isn't sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +> [!NOTE] +> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running. The following list shows the supported values: @@ -75,14 +76,13 @@ The following list shows the supported values: Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client. -> [!Note] +> [!NOTE] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. - Here are the steps to create canonical domain names: 1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. @@ -241,7 +241,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate. Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1. The following list shows the supported values: @@ -251,7 +251,7 @@ The following list shows the supported values: Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys. - 1 (default) - Revoke keys. @@ -264,7 +264,7 @@ TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS t Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP** -Specifies whether to allow Azure RMS encryption for WIP. +Specifies whether to allow Azure RMS encryption for Windows Information Protection. - 0 (default) – Don't use RMS. - 1 – Use RMS. @@ -277,7 +277,7 @@ When this policy isn't specified, the existing auto-encryption behavior is appli Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app. The following list shows the supported values: - 0 (default) - No WIP overlays on icons or tiles. @@ -286,7 +286,7 @@ The following list shows the supported values: Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status** -A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. +A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. Suggested values: @@ -298,7 +298,7 @@ Bit 0 indicates whether WIP is on or off. Bit 1 indicates whether AppLocker WIP policies are set. -Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero). +Bit 3 indicates whether the mandatory Windows Information Protection policies are configured. If one or more of the mandatory WIP policies aren't configured, the bit 3 is set to 0 (zero). Here's the list of mandatory WIP policies: diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index b7c829d77b..8fe5f44ab9 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 0b73271a16..bfe075df09 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index e75cd3532d..4a840115e0 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index b5412b3604..022801745a 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -5,8 +5,7 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 11/29/2021 +author: dansimp ms.reviewer: manager: dansimp --- @@ -19,6 +18,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -244,7 +244,7 @@ Default value is true. Value type is bool. Supported operations are Add, Get and Replace. **/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it's explicitly specified not to block. +This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, the local store value is used. DefaultOutboundAction will allow all outbound traffic unless it's explicitly specified not to allow. - 0x00000000 - allow - 0x00000001 - block @@ -440,4 +440,4 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index e9f9d1928d..4b0d882361 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png index 1e315bc4b1..d134a5fcb2 100644 Binary files a/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png and b/windows/client-management/mdm/images/configlock-mem-firmwareprotect.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index 35bed03a19..e17aa75f60 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -80,17 +80,17 @@ Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback: -- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps. +- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. - [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). - [DevInfo CSP](devinfo-csp.md). - [DMAcc CSP](dmacc-csp.md). - [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL. -- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies. +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies. - [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). - [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management. - [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. -- [Reporting CSP](reporting-csp.md) for retrieving WIP logs. +- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs. - [RootCaTrustedCertificates CSP](rootcacertificates-csp.md). - [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. - [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. @@ -116,13 +116,13 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to Windows doesn't support applying both MAM and MDM policies to the same devices. If configured by the admin, users can change their MAM enrollment to MDM. > [!NOTE] -> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade. +> When users upgrade from MAM to MDM on Windows Home edition, they lose access to Windows Information Protection. On Windows Home edition, we don't recommend pushing MDM policies to enable users to upgrade. To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. -In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: +In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when Windows Information Protection policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: -- Both MAM and MDM policies for the organization support WIP. +- Both MAM and MDM policies for the organization support Windows Information Protection. - EDP CSP Enterprise ID is the same for both MAM and MDM. - EDP CSP RevokeOnMDMHandoff is set to false. diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 7fe9cd95eb..5bd11c744d 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -1,28 +1,28 @@ --- title: Mobile device management -description: Windows 10 and Windows 11 provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy +description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. MS-HAID: - 'p\_phDeviceMgmt.provisioning\_and\_device\_management' - 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' -ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b -ms.author: dansimp -ms.topic: article +ms.topic: overview ms.prod: w10 ms.technology: windows -author: dansimp +author: aczechowski +ms.author: aaroncz ms.collection: highpri +ms.date: 06/03/2022 --- # Mobile device management -Windows 10 and Windows 11 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. +Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. -There are two parts to the Windows management component: +There are two parts to the Windows management component: -- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. -- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. +- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. +- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). ## MDM security baseline @@ -37,7 +37,7 @@ The MDM security baseline includes policies that cover the following areas: - Legacy technology policies that offer alternative solutions with modern technology - And much more -For more details about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see: +For more information about the MDM policies defined in the MDM security baseline and what Microsoft's recommended baseline policy values are, see: - [MDM Security baseline for Windows 11](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/Windows11-MDM-SecurityBaseLine-Document.zip) - [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip) @@ -48,37 +48,27 @@ For more details about the MDM policies defined in the MDM security baseline and For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). - - -## Learn about migrating to MDM - -When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy setting in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf). - - ## Learn about device enrollment - -- [Mobile device enrollment](mobile-device-enrollment.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [Mobile device enrollment](mobile-device-enrollment.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) ## Learn about device management - -- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- [Enterprise app management](enterprise-app-management.md) -- [Mobile device management (MDM) for device updates](device-update-management.md) -- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) -- [OMA DM protocol support](oma-dm-protocol-support.md) -- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) -- [Server requirements for OMA DM](server-requirements-windows-mdm.md) -- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) +- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) +- [Enterprise app management](enterprise-app-management.md) +- [Mobile device management (MDM) for device updates](device-update-management.md) +- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) +- [OMA DM protocol support](oma-dm-protocol-support.md) +- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) +- [Server requirements for OMA DM](server-requirements-windows-mdm.md) +- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) ## Learn about configuration service providers - -- [Configuration service provider reference](configuration-service-provider-reference.md) -- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) -- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) -- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) +- [Configuration service provider reference](configuration-service-provider-reference.md) +- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) +- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) +- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index aa2284255f..3a2861bbf1 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -13,6 +13,16 @@ manager: dansimp # MultiSIM CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803. diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index c29289fd2b..540ea74cc1 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -14,6 +14,17 @@ ms.date: 06/26/2017 # NAP CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections. > [!Note] @@ -67,7 +78,7 @@ Root node. ***NAPX*** Required. Defines the name of the network access point. -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead). ***NAPX*/NAPID** Required. Specifies the identifier of the destination network. @@ -97,7 +108,7 @@ The following table shows some commonly used ADDRTYPE values and the types of co Optional node. Specifies the authentication information, including the protocol, user name, and password. ***NAPX*/AuthInfo/AuthType** -Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5. +Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5. ***NAPX*/AuthInfo/AuthName** Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*. @@ -111,7 +122,8 @@ Queries of this field will return a string composed of 16 asterisks (\*). Node. ***NAPX*/Bearer/BearerType** -Required. Specifies the network type of the destination network. This parameter's value can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. + +Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and Wi-Fi. ## Related articles diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 075e0f6619..0f71a1c998 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -14,7 +14,18 @@ ms.date: 06/26/2017 # NAPDEF CSP -The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The NAPDEF configuration service provider is used to add, modify, or delete WAP Network Access Points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. > [!Note] > You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. @@ -71,7 +82,7 @@ A query of this parameter returns asterisks (\*) in the results. **AUTHTYPE** Specifies the protocol used to authenticate the user. -The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note +The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. > [!Note] > **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change. diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 743fe416fa..47b33480b1 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -13,11 +13,22 @@ manager: dansimp # NetworkProxy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. How the settings work: -- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it. +- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it. - If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script. - If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server. - Otherwise, the system tries to reach the site directly. diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index cf15fbcacc..5f455a3e9c 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -13,6 +13,17 @@ manager: dansimp # NetworkQoSPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. The following conditions are supported: @@ -71,7 +82,7 @@ NetworkQoSPolicy

    The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -

    Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +

    Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.

    The data type is char. @@ -111,7 +122,7 @@ NetworkQoSPolicy

    The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -

    The differentiated services code point (DSCP) value to apply to matching network traffic. +

    The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.

    Valid values are 0-63. diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 039ac5d742..b307fa75b3 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # NodeCache CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes. @@ -72,7 +82,7 @@ NodeCache Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax. ***ProviderID*** -Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. +Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic. Supported operations are Get, Add, and Delete. @@ -383,10 +393,11 @@ It represents this example: U09NRU5FV1ZBTFVF ``` -Id is the node Id that was added by the MDM server, and Uri is the path that the node is tracking. -If a Uri isn't set, the node will always be reported as changed, as in Node Id 10. -The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName didn't match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. +Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking. +If a Uri is not set, the node will always be reported as changed, as in Node ID 10. + +The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. ## Related topics diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 79204c2935..e3ee2537c2 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -13,6 +13,16 @@ manager: dansimp # Office CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365). diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 21cc92b117..6714139d27 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -14,7 +14,19 @@ ms.date: 07/19/2019 # PassportForWork CSP -The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to sign in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. + > [!IMPORTANT] > Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index ff76751aef..736959df4e 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -13,6 +13,17 @@ manager: dansimp # Personalization CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|No| +|Business|No|No| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. This CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index 142d9058c1..61da8064e2 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -9,7 +9,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 03/01/2022 +ms.date: 06/06/2022 --- # Policies in Policy CSP supported by HoloLens 2 @@ -50,11 +50,15 @@ ms.date: 03/01/2022 - [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) +- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) - [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays) 9 -- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 10 +- [MixedReality/AutoLogonUser](./policy-csp-mixedreality.md#mixedreality-autologonuser) 11 - [MixedReality/BrightnessButtonDisabled](./policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled) 9 +- [MixedReality/ConfigureMovingPlatform](policy-csp-mixedreality.md#mixedreality-configuremovingplatform) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics) 9 +- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#mixedreality-headtrackingmode) 9 - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#mixedreality-microphonedisabled) 9 +- [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#mixedreality-visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#mixedreality-volumebuttondisabled) 9 - [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) 9 - [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) 9 @@ -102,13 +106,13 @@ ms.date: 03/01/2022 - [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) 9 - [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) - [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) -- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 10 -- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 10 +- [Update/AutoRestartNotificationSchedule](policy-csp-update.md#update-autorestartnotificationschedule) 11 +- [Update/AutoRestartRequiredNotificationDismissal](policy-csp-update.md#update-autorestartrequirednotificationdismissal) 11 - [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) -- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 10 -- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 10 -- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 10 -- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 10 +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) 11 +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) 11 +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) 11 +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) 11 - [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) - [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) - [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) @@ -116,10 +120,10 @@ ms.date: 03/01/2022 - [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) - [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) - [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) -- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 10 -- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 10 +- [Update/ScheduleImminentRestartWarning](policy-csp-update.md#update-scheduleimminentrestartwarning) 11 +- [Update/ScheduleRestartWarning](policy-csp-update.md#update-schedulerestartwarning) 11 - [Update/SetDisablePauseUXAccess](policy-csp-update.md#update-setdisablepauseuxaccess) -- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 10 +- [Update/UpdateNotificationLevel](policy-csp-update.md#update-updatenotificationlevel) 11 - [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) - [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 @@ -133,8 +137,9 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. -- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes#windows-holographic-version-20h2) -- 10 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) +- 9 - Available in [Windows Holographic, version 20H2](/hololens/hololens-release-notes-2004#windows-holographic-version-20h2) +- 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) +- 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) ## Related topics diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index f23dbf7f6b..e984f6f104 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -41,6 +41,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 2a640df633..e261b05c4e 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -31,6 +31,12 @@ manager: dansimp

    Accounts/AllowMicrosoftAccountSignInAssistant
    +
    + Accounts/DomainNamesForEmailSync +
    +
    + Accounts/RestrictToEnterpriseDeviceAuthenticationOnly +
    @@ -45,6 +51,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -61,12 +68,12 @@ manager: dansimp -Specifies whether user is allowed to add non-MSA email accounts. +Specifies whether user is allowed to add email accounts other than Microsoft account. Most restricted value is 0. > [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. @@ -89,6 +96,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,7 +114,7 @@ The following list shows the supported values: -Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. +Specifies whether the user is allowed to use a Microsoft account for non-email related connection authentication and services. Most restricted value is 0. @@ -131,6 +139,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -151,10 +160,10 @@ The following list shows the supported values: Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. > [!NOTE] -> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). +> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). > [!NOTE] -> If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. +> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. @@ -168,9 +177,90 @@ The following list shows the supported values:
    + +**Accounts/DomainNamesForEmailSync** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + + + + +The following list shows the supported values: + + + + +
    + + +**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +Added in Windows 11, version 22H2. This setting determines whether to only allow enterprise device authentication for the Microsoft Account Sign-in Assistant service (wlidsvc). By default, this setting is disabled and allows both user and device authentication. When the value is set to 1, we only allow device authentication and block user authentication. + +Most restricted value is 1. + + + +The following list shows the supported values: + +- 0 (default) - Allow both device and user authentication. +- 1 - Only allow device authentication. Block user authentication. + + + +
    + + ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +[Policy CSP](policy-configuration-service-provider.md) + diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 206b52f009..d96b12b249 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -45,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index bc9d52e929..2a3088be3f 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -45,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index c31c112030..19c86af9d2 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -129,10 +129,11 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business||| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| -|Education||| +|Education|Yes|Yes|
    @@ -186,8 +187,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -244,8 +246,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -303,8 +306,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -358,8 +362,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -413,8 +418,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -469,8 +475,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -524,8 +531,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -582,8 +590,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -639,8 +648,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-admpwd.md b/windows/client-management/mdm/policy-csp-admx-admpwd.md index f8dee79bd9..b7c83023fa 100644 --- a/windows/client-management/mdm/policy-csp-admx-admpwd.md +++ b/windows/client-management/mdm/policy-csp-admx-admpwd.md @@ -54,6 +54,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,6 +97,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -141,6 +143,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -186,6 +189,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index 09fc5c811d..09e0448165 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -76,8 +76,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -129,8 +130,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -176,8 +178,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,8 +230,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -278,8 +282,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -332,8 +337,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -375,8 +381,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -425,8 +432,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -474,8 +482,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md index 7dc13ae3e1..bfa6e0e368 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md +++ b/windows/client-management/mdm/policy-csp-admx-appxpackagemanager.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-appxruntime.md b/windows/client-management/mdm/policy-csp-admx-appxruntime.md index 4095c01ad1..f9d07fe835 100644 --- a/windows/client-management/mdm/policy-csp-admx-appxruntime.md +++ b/windows/client-management/mdm/policy-csp-admx-appxruntime.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -98,8 +99,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -144,8 +146,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -192,8 +195,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md index a54fcdbac7..991162ca51 100644 --- a/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-admx-attachmentmanager.md @@ -55,8 +55,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,8 +107,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes @@ -157,8 +159,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -204,8 +207,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -251,8 +255,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md index c55966c2f8..4ae15d3c3b 100644 --- a/windows/client-management/mdm/policy-csp-admx-auditsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-bits.md b/windows/client-management/mdm/policy-csp-admx-bits.md index 5aaff2305b..ab01ed785d 100644 --- a/windows/client-management/mdm/policy-csp-admx-bits.md +++ b/windows/client-management/mdm/policy-csp-admx-bits.md @@ -82,8 +82,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -130,8 +131,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -179,8 +181,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -229,8 +232,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -278,8 +282,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -330,8 +335,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -381,8 +387,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -429,8 +436,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -477,8 +485,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -525,8 +534,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -575,8 +585,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -624,8 +635,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -673,8 +685,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -722,8 +735,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md index 91b1d7c6aa..a0033b3741 100644 --- a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-com.md b/windows/client-management/mdm/policy-csp-admx-com.md index 45c2e3e28b..d24c27f120 100644 --- a/windows/client-management/mdm/policy-csp-admx-com.md +++ b/windows/client-management/mdm/policy-csp-admx-com.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -98,8 +99,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-controlpanel.md b/windows/client-management/mdm/policy-csp-admx-controlpanel.md index 8f008a5bcd..c38abdd5cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpanel.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpanel.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -108,8 +109,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -159,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -217,8 +220,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md index e8e6178c75..8a4ec1282c 100644 --- a/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md +++ b/windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md @@ -112,8 +112,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -158,8 +159,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -202,8 +204,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,8 +252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -297,8 +301,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -342,8 +347,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -391,8 +397,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -442,8 +449,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -487,8 +495,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -532,8 +541,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -581,8 +591,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -628,8 +639,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -680,8 +692,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -727,8 +740,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -772,8 +786,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -817,8 +832,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -860,8 +876,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -905,8 +922,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -950,8 +968,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1002,8 +1021,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1055,8 +1075,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1107,8 +1128,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1152,8 +1174,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1206,8 +1229,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-cpls.md b/windows/client-management/mdm/policy-csp-admx-cpls.md index 19f04975a7..0191a8c79c 100644 --- a/windows/client-management/mdm/policy-csp-admx-cpls.md +++ b/windows/client-management/mdm/policy-csp-admx-cpls.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Cpls -description: Policy CSP - ADMX_Cpls +description: Learn about the Policy CSP - ADMX_Cpls. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -64,7 +65,7 @@ manager: dansimp This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. > [!NOTE] -> The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default pictures do not exist, an empty frame is displayed. +> The default account picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg.` The default guest picture is stored at `%PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg.` If the default pictures do not exist, an empty frame is displayed. If you enable this policy setting, the default user account picture will display for all users on the system with no customization allowed. @@ -84,6 +85,8 @@ ADMX Info:
    - +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md index 92381f92cc..2787753ef1 100644 --- a/windows/client-management/mdm/policy-csp-admx-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-admx-credentialproviders.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_CredentialProviders -description: Policy CSP - ADMX_CredentialProviders +description: Learn about the Policy CSP - ADMX_CredentialProviders. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -50,8 +50,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,8 +101,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -122,7 +124,7 @@ This policy setting allows the administrator to assign a specified credential pr If you enable this policy setting, the specified credential provider is selected on other user tile. -If you disable or do not configure this policy setting, the system picks the default credential provider on other user tile. +If you disable or don't configure this policy setting, the system picks the default credential provider on other user tile. > [!NOTE] > A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers. @@ -149,8 +151,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -190,4 +193,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credssp.md b/windows/client-management/mdm/policy-csp-admx-credssp.md index 18929d3fd6..fb24354248 100644 --- a/windows/client-management/mdm/policy-csp-admx-credssp.md +++ b/windows/client-management/mdm/policy-csp-admx-credssp.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_CredSsp -description: Policy CSP - ADMX_CredSsp +description: Learn about the Policy CSP - ADMX_CredSsp. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -73,8 +73,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -130,8 +131,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -191,8 +193,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -247,8 +250,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -305,8 +309,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -363,8 +368,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -421,8 +427,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -479,8 +486,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -535,8 +543,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -591,8 +600,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -647,8 +657,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -699,3 +710,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-credui.md b/windows/client-management/mdm/policy-csp-admx-credui.md index a62ce22ddd..133b87350c 100644 --- a/windows/client-management/mdm/policy-csp-admx-credui.md +++ b/windows/client-management/mdm/policy-csp-admx-credui.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_CredUI -description: Policy CSP - ADMX_CredUI +description: Learn about the Policy CSP - ADMX_CredUI. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -67,7 +68,7 @@ manager: dansimp This policy setting requires the user to enter Microsoft Windows credentials using a trusted path, to prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials. > [!NOTE] -> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled. +> This policy affects non-logon authentication tasks only. As a security best practice, this policy should be enabled. If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism. @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -129,3 +131,6 @@ ADMX Info: < +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md index 89ce54faf5..22bb0e2b9c 100644 --- a/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md +++ b/windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_CtrlAltDel -description: Policy CSP - ADMX_CtrlAltDel +description: Learn about the Policy CSP - ADMX_CtrlAltDel. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -74,7 +75,7 @@ This policy setting prevents users from changing their Windows password on deman If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del. -However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. +However, users will still be able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring. @@ -99,8 +100,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -148,8 +150,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -195,8 +198,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -215,11 +219,11 @@ ADMX Info: This policy setting disables or removes all menu items and buttons that log the user off the system. -If you enable this policy setting, users won't see the Log off menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu. +If you enable this policy setting, users won't see the Logoff menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu. Also, see the 'Remove Logoff on the Start Menu' policy setting. -If you disable or don't configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del. +If you disable or don't configure this policy setting, users can see and select the Logoff menu item when they press Ctrl+Alt+Del. @@ -237,3 +241,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-datacollection.md b/windows/client-management/mdm/policy-csp-admx-datacollection.md index 33f7687705..9f7525d028 100644 --- a/windows/client-management/mdm/policy-csp-admx-datacollection.md +++ b/windows/client-management/mdm/policy-csp-admx-datacollection.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DataCollection -description: Policy CSP - ADMX_DataCollection +description: Learn about the Policy CSP - ADMX_DataCollection. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -86,3 +87,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 510d934391..4e3e20eb48 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DCOM -description: Policy CSP - ADMX_DCOM +description: Learn about the Policy CSP - ADMX_DCOM. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -66,9 +67,10 @@ manager: dansimp This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list. -- If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. +If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list. + +If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list. -- If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list. If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured. > [!NOTE] @@ -95,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -120,14 +123,20 @@ DCOM server application IDs added to this policy must be listed in curly brace f For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`. If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors. -- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server. If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local -settings. -- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. +settings. -If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. +If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. + +If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used. + +If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. + +>[!Note] +> The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. + This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid. @@ -154,3 +163,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-desktop.md b/windows/client-management/mdm/policy-csp-admx-desktop.md index a7ea8ccda9..5017634eeb 100644 --- a/windows/client-management/mdm/policy-csp-admx-desktop.md +++ b/windows/client-management/mdm/policy-csp-admx-desktop.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Desktop -description: Policy CSP - ADMX_Desktop +description: Learn about Policy CSP - ADMX_Desktop. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -127,8 +127,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -175,8 +176,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,8 +227,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -273,8 +276,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -321,8 +325,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -370,8 +375,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -413,8 +419,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -459,8 +466,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -508,8 +516,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -552,8 +561,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -603,8 +613,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -653,8 +664,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -700,8 +712,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -746,8 +759,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -776,7 +790,6 @@ If you disable or don't configure this policy setting, the Properties menu comma - ADMX Info: - GP Friendly name: *Remove Properties from the Documents icon context menu* @@ -796,8 +809,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -842,8 +856,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -890,8 +905,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -936,8 +952,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -980,8 +997,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1025,8 +1043,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1077,8 +1096,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1122,8 +1142,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1171,8 +1192,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1219,8 +1241,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1263,8 +1286,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1310,8 +1334,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1362,8 +1387,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1414,8 +1440,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1463,8 +1490,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1501,3 +1529,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicecompat.md b/windows/client-management/mdm/policy-csp-admx-devicecompat.md index b1ccc54155..c1ac73f776 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicecompat.md +++ b/windows/client-management/mdm/policy-csp-admx-devicecompat.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DeviceCompat -description: Policy CSP - ADMX_DeviceCompat +description: Learn about Policy CSP - ADMX_DeviceCompat. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -45,8 +45,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -86,8 +87,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,7 +106,7 @@ ADMX Info: -Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions. +Changes behavior of third-party drivers to work around incompatibilities introduced between OS versions. @@ -118,4 +120,8 @@ ADMX Info: - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-deviceguard.md b/windows/client-management/mdm/policy-csp-admx-deviceguard.md index 5ac4d423c2..4a673e49f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceguard.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DeviceGuard -description: Policy CSP - ADMX_DeviceGuard +description: Learn about Policy CSP - ADMX_DeviceGuard. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -68,11 +69,12 @@ If you deploy a Code Integrity Policy, Windows will restrict what can run in bot To enable this policy, the machine must be rebooted. The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`), or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`. - + The local machine account (LOCAL SYSTEM) must have access permission to the policy file. -If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: -1. First update the policy to a non-protected policy and then disable the setting. -2. Disable the setting and then remove the policy from each computer, with a physically present user. +If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either: + +- First update the policy to a non-protected policy and then disable the setting. (or) +- Disable the setting and then remove the policy from each computer, with a physically present user. @@ -89,3 +91,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md index 62efd762ae..bbc9785c1b 100644 --- a/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-admx-deviceinstallation.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DeviceInstallation -description: Policy CSP - ADMX_DeviceInstallation +description: Learn about Policy CSP - ADMX_DeviceInstallation. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -64,8 +64,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -110,8 +111,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,8 +158,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -202,8 +205,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -248,8 +252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -272,7 +277,8 @@ If you enable this policy setting, set the number of seconds you want the system If you disable or don't configure this policy setting, the system doesn't force a reboot. -Note: If no reboot is forced, the device installation restriction right won't take effect until the system is restarted. +>[!Note] +> If no reboot is forced, the device installation restriction right won't take effect until the system is restarted. @@ -296,8 +302,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -341,8 +348,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -387,8 +395,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -426,4 +435,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-devicesetup.md b/windows/client-management/mdm/policy-csp-admx-devicesetup.md index c54fe1375e..d3b545c45a 100644 --- a/windows/client-management/mdm/policy-csp-admx-devicesetup.md +++ b/windows/client-management/mdm/policy-csp-admx-devicesetup.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DeviceSetup -description: Policy CSP - ADMX_DeviceSetup +description: Learn about Policy CSP - ADMX_DeviceSetup. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,8 +93,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -114,7 +116,10 @@ This policy setting allows you to specify the order in which Windows searches so If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all. -Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system. +>[!Note] +> Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. + +This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching is enabled and only when needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system. If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers. @@ -133,3 +138,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-dfs.md b/windows/client-management/mdm/policy-csp-admx-dfs.md index 49774e691d..029c5a1884 100644 --- a/windows/client-management/mdm/policy-csp-admx-dfs.md +++ b/windows/client-management/mdm/policy-csp-admx-dfs.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DFS -description: Policy CSP - ADMX_DFS +description: Learn about Policy CSP - ADMX_DFS. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -63,10 +64,9 @@ manager: dansimp This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes. -- If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. -This value is specified in minutes. +If you enable this policy setting, you can configure how often a DFS client attempts to discover domain controllers. This value is specified in minutes. -- If you disable or do not configure this policy setting, the default value of 15 minutes applies. +If you disable or don't configure this policy setting, the default value of 15 minutes applies. > [!NOTE] > The minimum value you can select is 15 minutes. If you try to set this setting to a value less than 15 minutes, the default value of 15 minutes is applied. @@ -87,3 +87,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-digitallocker.md b/windows/client-management/mdm/policy-csp-admx-digitallocker.md index fafc357e89..0b11ba27af 100644 --- a/windows/client-management/mdm/policy-csp-admx-digitallocker.md +++ b/windows/client-management/mdm/policy-csp-admx-digitallocker.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DigitalLocker -description: Policy CSP - ADMX_DigitalLocker +description: Learn about Policy CSP - ADMX_DigitalLocker. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -74,7 +75,6 @@ If you disable or don't configure this setting, Digital Locker can be run. - ADMX Info: - GP Friendly name: *Do not allow Digital Locker to run* @@ -94,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -137,3 +138,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md index 312e6550d5..206c700ce3 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-diskdiagnostic.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DiskDiagnostic -description: Policy CSP - ADMX_DiskDiagnostic +description: Learn about Policy CSP - ADMX_DiskDiagnostic. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -66,12 +67,13 @@ manager: dansimp This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. -- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. -- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. +If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. -No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. +If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. + +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. > [!NOTE] @@ -99,8 +101,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,12 +124,15 @@ This policy setting determines the execution level for S.M.A.R.T.-based disk dia Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. -- If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. -- If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. -- If you do not configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. +If you enable this policy setting, the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. -No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. -This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. +If you disable this policy, S.M.A.R.T. faults are still detected and logged, but no corrective action is taken. + +If you don't configure this policy setting, the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. + +No reboots or service restarts are required for this policy setting to take effect, whereas changes take effect immediately. + +This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. > [!NOTE] > For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. @@ -147,3 +153,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-disknvcache.md b/windows/client-management/mdm/policy-csp-admx-disknvcache.md index 6e82fec127..e3d2d46297 100644 --- a/windows/client-management/mdm/policy-csp-admx-disknvcache.md +++ b/windows/client-management/mdm/policy-csp-admx-disknvcache.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DiskNVCache -description: Policy CSP - ADMX_DiskNVCache +description: Learn about Policy CSP - ADMX_DiskNVCache. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -49,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,7 +72,6 @@ This policy setting turns off the boot and resumes optimizations for the hybrid If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume. -If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations. @@ -97,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -125,8 +126,6 @@ If you disable this policy setting, the system will manage the NV cache on the d This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache. - - @@ -148,8 +147,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -172,7 +172,10 @@ If you enable this policy setting, frequently written files such as the file sys If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. -This usage can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on. +This can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. + +>[!Note] +> This policy setting is applicable only if the NV cache feature is on. @@ -192,3 +195,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-diskquota.md b/windows/client-management/mdm/policy-csp-admx-diskquota.md index 5982c438b4..ac4604b2d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-diskquota.md +++ b/windows/client-management/mdm/policy-csp-admx-diskquota.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DiskQuota -description: Policy CSP - ADMX_DiskQuota +description: Learn about Policy CSP - ADMX_DiskQuota. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -59,8 +59,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,8 +105,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -158,8 +160,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -210,8 +213,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -260,8 +264,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -310,8 +315,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -354,3 +360,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md index ff67fc4f25..098addf8db 100644 --- a/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md +++ b/windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DistributedLinkTracking -description: Policy CSP - ADMX_DistributedLinkTracking +description: Learn about Policy CSP - ADMX_DistributedLinkTracking. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -61,8 +62,10 @@ manager: dansimp -This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. -The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. +This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers. + +The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer. + The DLT client can more reliably track links when allowed to use the DLT server. This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain. @@ -85,3 +88,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md index 8410109042..080d80ae3d 100644 --- a/windows/client-management/mdm/policy-csp-admx-dnsclient.md +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DnsClient -description: Policy CSP - ADMX_DnsClient +description: Learn about Policy CSP - ADMX_DnsClient. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -105,8 +105,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -150,8 +151,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -203,8 +205,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,8 +252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -313,8 +317,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -359,8 +364,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -405,8 +411,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -453,8 +460,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -502,8 +510,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -554,8 +563,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -580,7 +590,8 @@ If you enable this policy setting, a computer will register A and PTR resource r For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. -Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. +>[!Important] +> This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix. @@ -605,8 +616,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -631,7 +643,7 @@ If you enable this policy setting, registration of PTR records will be determine To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: -- don't register: Computers won't attempt to register PTR resource records +- Do not register: Computers won't attempt to register PTR resource records - Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful. - Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. @@ -658,8 +670,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -704,8 +717,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -726,11 +740,11 @@ This policy setting specifies whether dynamic updates should overwrite existing This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers. -During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. +During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing (A) resource record with an (A) resource record that has the client's current IP address. -If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. +If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting (A) resource records during dynamic update. -If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer. +If you disable this policy setting, existing (A) resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer. @@ -754,8 +768,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -807,8 +822,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -855,8 +871,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -908,8 +925,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -954,8 +972,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1002,8 +1021,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1054,8 +1074,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1102,8 +1123,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1166,8 +1188,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1207,3 +1230,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-dwm.md b/windows/client-management/mdm/policy-csp-admx-dwm.md index 10b9761d52..a3118e564b 100644 --- a/windows/client-management/mdm/policy-csp-admx-dwm.md +++ b/windows/client-management/mdm/policy-csp-admx-dwm.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_DWM -description: Policy CSP - ADMX_DWM +description: Learn about Policy CSP - ADMX_DWM. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -58,8 +58,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -107,8 +108,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,8 +158,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -204,8 +207,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -252,8 +256,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -301,8 +306,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -343,3 +349,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-eaime.md b/windows/client-management/mdm/policy-csp-admx-eaime.md index 21ee8c0b36..6b81a966e1 100644 --- a/windows/client-management/mdm/policy-csp-admx-eaime.md +++ b/windows/client-management/mdm/policy-csp-admx-eaime.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EAIME -description: Policy CSP - ADMX_EAIME +description: Learn about the Policy CSP - ADMX_EAIME. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -76,8 +76,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -127,8 +128,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -190,8 +192,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -243,8 +246,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -293,8 +297,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -346,8 +351,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -396,8 +402,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -444,8 +451,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -494,8 +502,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -544,8 +553,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -594,8 +604,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -644,8 +655,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -686,3 +698,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md index 00a8db9920..2ef08d8dea 100644 --- a/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md +++ b/windows/client-management/mdm/policy-csp-admx-encryptfilesonmove.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EncryptFilesonMove -description: Policy CSP - ADMX_EncryptFilesonMove +description: Learn about the Policy CSP - ADMX_EncryptFilesonMove. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -63,9 +64,9 @@ manager: dansimp This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder. -If you enable this policy setting, File Explorer will not automatically encrypt files that are moved to an encrypted folder. +If you enable this policy setting, File Explorer won't automatically encrypt files that are moved to an encrypted folder. -If you disable or do not configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. +If you disable or don't configure this policy setting, File Explorer automatically encrypts files that are moved to an encrypted folder. This setting applies only to files moved within a volume. When files are moved to other volumes, or if you create a new file in an encrypted folder, File Explorer encrypts those files automatically. @@ -86,3 +87,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md index 2ab763817c..7a97834588 100644 --- a/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md +++ b/windows/client-management/mdm/policy-csp-admx-enhancedstorage.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EnhancedStorage -description: Policy CSP - ADMX_EnhancedStorage +description: Learn about the Policy CSP - ADMX_EnhancedStorage. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -58,8 +58,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -76,7 +77,7 @@ manager: dansimp -This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. +This policy setting allows you to configure a list of Enhanced Storage devices that contain a manufacturer and product ID that are usable on your computer. If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer and product ID specified in this policy are usable on your computer. @@ -103,8 +104,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,7 +123,7 @@ ADMX Info: -This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. +This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that is usable on your computer. If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer. @@ -148,8 +150,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -193,8 +196,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -238,8 +242,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -258,7 +263,8 @@ ADMX Info: This policy setting locks Enhanced Storage devices when the computer is locked. -This policy setting is supported in Windows Server SKUs only. +>[!Note] +>This policy setting is supported in Windows Server SKUs only. If you enable this policy setting, the Enhanced Storage device remains locked when the computer is locked. @@ -285,8 +291,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -324,3 +331,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-errorreporting.md b/windows/client-management/mdm/policy-csp-admx-errorreporting.md index 7e72497d05..52dececdfe 100644 --- a/windows/client-management/mdm/policy-csp-admx-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-admx-errorreporting.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ErrorReporting -description: Policy CSP - ADMX_ErrorReporting +description: Learn about the Policy CSP - ADMX_ErrorReporting. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -127,8 +127,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -178,8 +179,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,8 +227,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,11 +252,14 @@ To create a list of applications for which Windows Error Reporting never reports If you enable this policy setting, you can create a list of applications that are always included in error reporting. To add applications to the list, click Show under the Report errors for applications on this list setting, and edit the list of application file names in the Show Contents dialog box. The file names must include the .exe file name extension (for example, notepad.exe). Errors that are generated by applications on this list are always reported, even if the Default dropdown in the Default application reporting policy setting is set to report no application errors. -If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.) +If the Report all errors in Microsoft applications or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled, Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. + +>[!Note] +>The Microsoft applications category includes the Windows components category. If you disable this policy setting or don't configure it, the Default application reporting settings policy setting takes precedence. -Also see the "Default Application Reporting" and "Application Exclusion List" policies. +Also, see the "Default Application Reporting" and "Application Exclusion List" policies. This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured. @@ -279,8 +285,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -307,22 +314,17 @@ This policy setting doesn't enable or disable Windows Error Reporting. To turn W If you enable this policy setting, the setting overrides any user changes made to Windows Error Reporting settings in Control Panel, and default values are applied for any Windows Error Reporting policy settings that aren't configured (even if users have changed settings by using Control Panel). If you enable this policy setting, you can configure the following settings in the policy setting: - "Do not display links to any Microsoft ‘More information’ websites": Select this option if you don't want error dialog boxes to display links to Microsoft websites. - - "Do not collect additional files": Select this option if you don't want extra files to be collected and included in error reports. - - "Do not collect additional computer data": Select this option if you don't want additional information about the computer to be collected and included in error reports. - - "Force queue mode for application errors": Select this option if you don't want users to report errors. When this option is selected, errors are stored in a queue directory, and the next administrator to sign in to the computer can send the error reports to Microsoft. - - "Corporate file path": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location instead of being sent directly to Microsoft, and the next administrator to sign in to the computer can send the error reports to Microsoft. - - "Replace instances of the word ‘Microsoft’ with": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text. If you don't configure this policy setting, users can change Windows Error Reporting settings in Control Panel. By default, these settings are Enable Reporting on computers that are running Windows XP, and Report to Queue on computers that are running Windows Server 2003. If you disable this policy setting, configuration settings in the policy setting are left blank. -See related policy settings Display Error Notification (same folder as this policy setting), and Turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. +See related policy settings Display Error Notification (same folder as this policy setting), and turn off Windows Error Reporting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings. @@ -345,8 +347,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -394,8 +397,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -439,8 +443,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|No|No| @@ -484,8 +489,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -529,8 +535,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|No|No| @@ -572,8 +579,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -617,8 +625,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -662,8 +671,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -707,8 +717,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -752,8 +763,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -797,8 +809,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -842,8 +855,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -887,8 +901,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -910,13 +925,9 @@ This policy setting determines the consent behavior of Windows Error Reporting f If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those types meant for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. - 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. - - 1 (Always ask before sending data): Windows prompts the user for consent to send reports. - - 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send more data requested by Microsoft. - - 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send more data requested by Microsoft. - - 4 (Send all data): Any data requested by Microsoft is sent automatically. If you disable or don't configure this policy setting, then the default consent settings that are applied are those settings specified by the user in Control Panel, or in the Configure Default Consent policy setting. @@ -942,8 +953,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|No|No| |Education|Yes|Yes| @@ -987,8 +999,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1032,8 +1045,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1054,13 +1068,10 @@ This policy setting determines the default consent behavior of Windows Error Rep If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: -- Always ask before sending data: Windows prompts users for consent to send reports. - -- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. - -- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. - -- Send all data: any error reporting data requested by Microsoft is sent automatically. +- **Always ask before sending data**: Windows prompts users for consent to send reports. +- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. +- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. +- **Send all data**: any error reporting data requested by Microsoft is sent automatically. If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. @@ -1085,8 +1096,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1107,13 +1119,10 @@ This policy setting determines the default consent behavior of Windows Error Rep If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy setting: -- Always ask before sending data: Windows prompts users for consent to send reports. - -- Send parameters: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. - -- Send parameters and safe extra data: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. - -- Send all data: any error reporting data requested by Microsoft is sent automatically. +- **Always ask before sending data**: Windows prompts users for consent to send reports. +- **Send parameters**: Only the minimum data that is required to check for an existing solution is sent automatically, and Windows prompts users for consent to send more data that is requested by Microsoft. +- **Send parameters and safe extra data**: the minimum data that is required to check for an existing solution, along with data which Windows has determined (within a high probability) doesn't contain personally identifiable information is sent automatically, and Windows prompts the user for consent to send more data that is requested by Microsoft. +- **Send all data**: any error reporting data requested by Microsoft is sent automatically. If this policy setting is disabled or not configured, then the consent level defaults to the highest-privacy setting: Always ask before sending data. @@ -1138,8 +1147,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1183,8 +1193,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1229,8 +1240,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1274,8 +1286,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1319,8 +1332,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1364,8 +1378,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1409,8 +1424,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1456,8 +1472,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1497,3 +1514,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md index ffd209aa8f..0eeeb1a2e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EventForwarding -description: Policy CSP - ADMX_EventForwarding +description: Learn about the Policy CSP - ADMX_EventForwarding. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -47,8 +47,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -97,8 +98,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -122,11 +124,11 @@ If you enable this policy setting, you can configure the Source Computer to cont Use the following syntax when using the HTTPS protocol: ``` syntax - Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. ``` -When using the HTTP protocol, use port 5985. +>[!Note] +> When using the HTTP protocol, use port 5985. If you disable or don't configure this policy setting, the Event Collector computer won't be specified. @@ -146,3 +148,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md index 5156768413..8e16b2c305 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlog.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EventLog -description: Policy CSP - ADMX_EventLog +description: Learn about the Policy CSP - ADMX_EventLog. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -103,8 +103,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -125,7 +126,10 @@ This policy setting turns on logging. If you enable or don't configure this policy setting, then events can be written to this log. -If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting. +If the policy setting is disabled, then no new events can be logged. + +>[!Note] +> Events can always be read from the log, regardless of this policy setting. @@ -148,8 +152,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -193,8 +198,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -238,8 +244,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -283,8 +290,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -328,8 +336,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -373,8 +382,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -420,8 +430,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -467,8 +478,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -514,8 +526,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -561,8 +574,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -609,8 +623,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -657,8 +672,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -705,8 +721,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -753,8 +770,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -800,8 +818,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -847,8 +866,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -894,8 +914,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -941,8 +962,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|No|No| |Education|Yes|Yes| @@ -965,7 +987,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +>[!Note] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -988,8 +1011,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1012,7 +1036,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +>[!Note] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -1036,8 +1061,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1060,7 +1086,8 @@ If you enable this policy setting and a log file reaches its maximum size, new e If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +>[!Note] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -1077,3 +1104,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-eventlogging.md b/windows/client-management/mdm/policy-csp-admx-eventlogging.md index 135c65ed8f..62d1bc8a55 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventlogging.md +++ b/windows/client-management/mdm/policy-csp-admx-eventlogging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EventLogging -description: Policy CSP - ADMX_EventLogging +description: Learn about the Policy CSP - ADMX_EventLogging. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -63,11 +64,11 @@ manager: dansimp This policy setting lets you configure Protected Event Logging. -- If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. +If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. -You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with. +You can use the `Unprotect-CmsMessage` PowerShell cmdlet to decrypt these encrypted messages, if you have access to the private key corresponding to the public key that they were encrypted with. -- If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log. +If you disable or don't configure this policy setting, components won't encrypt event log messages before writing them to the event log. @@ -85,3 +86,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-eventviewer.md b/windows/client-management/mdm/policy-csp-admx-eventviewer.md index b5dd4d7f65..e04745a40b 100644 --- a/windows/client-management/mdm/policy-csp-admx-eventviewer.md +++ b/windows/client-management/mdm/policy-csp-admx-eventviewer.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_EventViewer -description: Policy CSP - ADMX_EventViewer +description: Learn about the Policy CSP - ADMX_EventViewer. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -49,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -91,8 +92,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -132,8 +134,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -150,9 +153,9 @@ ADMX Info: -This URL is the one that will be passed to the Description area in the Event Properties dialog box. -Change this value if you want to use a different Web server to handle event information requests. +This URL is the one that will be passed to the Description area in the Event Properties dialog box. +Change this value if you want to use a different Web server to handle event information requests. @@ -170,3 +173,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-explorer.md b/windows/client-management/mdm/policy-csp-admx-explorer.md index cc7f6818aa..36e0b39de2 100644 --- a/windows/client-management/mdm/policy-csp-admx-explorer.md +++ b/windows/client-management/mdm/policy-csp-admx-explorer.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Explorer -description: Policy CSP - ADMX_Explorer +description: Learn about the Policy CSP - ADMX_Explorer. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -55,8 +55,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -73,7 +74,7 @@ manager: dansimp -Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. +This policy setting sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy. @@ -96,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -145,8 +147,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,7 +166,7 @@ ADMX Info: -This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values. +This policy setting allows administrators who have configured roaming profile with Delete Cached Roaming Profile Group Policy setting to ensure that Explorer won't reinitialize default program associations and other settings to default values. If you enable this policy setting on a machine that doesn't contain all programs installed in the same manner as it was on the machine on which the user had last logged on, unexpected behavior could occur. @@ -188,8 +191,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -206,14 +210,14 @@ ADMX Info: -This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. +This policy setting allows administrators to prevent users from adding new items, such as files or folders to the root of their Users Files folder in File Explorer. -If you enable this policy setting, users will no longer be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. +If you enable this policy setting, users will no longer be able to add new items, such as files or folders to the root of their Users Files folder in File Explorer. If you disable or don't configure this policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in File Explorer. > [!NOTE] -> Enabling this policy setting doesn't prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%. +> Enabling this policy setting doesn't prevent the user from being able to add new items, such as files and folders to their actual file system profile folder at %userprofile%. @@ -236,8 +240,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -254,7 +259,9 @@ ADMX Info: -This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios. +This policy is similar to settings directly available to computer users. + +Disabling animations can improve usability for users with some visual disabilities, and also improve performance and battery life in some scenarios. @@ -269,4 +276,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-externalboot.md b/windows/client-management/mdm/policy-csp-admx-externalboot.md index 88a074cba8..93b3bee4e0 100644 --- a/windows/client-management/mdm/policy-csp-admx-externalboot.md +++ b/windows/client-management/mdm/policy-csp-admx-externalboot.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ExternalBoot -description: Policy CSP - ADMX_ExternalBoot +description: Learn about the Policy CSP - ADMX_ExternalBoot. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,9 +72,9 @@ manager: dansimp This policy specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. -- If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. +If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. -- If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC. +If you disable or don't configure this setting, Windows, when started from a Windows To Go workspace, and can't hibernate the PC. @@ -99,8 +100,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -145,8 +147,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -165,9 +168,9 @@ ADMX Info: This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. -- If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item. +If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users won't be able to make changes using the Windows To Go Startup Options Control Panel item. -- If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration. +If you disable this setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the BIOS or other boot order configuration. If you don't configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item. @@ -185,3 +188,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md index 74cc4f3f50..b5239ba4b3 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FileRecovery -description: Policy CSP - ADMX_FileRecovery +description: Learn about the Policy CSP - ADMX_FileRecovery. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -40,8 +40,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -74,3 +75,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-filerevocation.md b/windows/client-management/mdm/policy-csp-admx-filerevocation.md index 3fd0807394..dedad2fa09 100644 --- a/windows/client-management/mdm/policy-csp-admx-filerevocation.md +++ b/windows/client-management/mdm/policy-csp-admx-filerevocation.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FileRevocation -description: Policy CSP - ADMX_FileRevocation +description: Learn about the Policy CSP - ADMX_FileRevocation. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -41,8 +41,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -60,9 +61,9 @@ manager: dansimp Windows Runtime applications can protect content that has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise, add an entry to the list on a new line that contains the enterprise identifier, separated by a comma, and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: `Contoso.com,ContosoIT.HumanResourcesApp_m5g0r7arhahqy` -- If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. +If you enable this policy setting, the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. -- If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. +If you disable or don't configure this policy setting, the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. @@ -85,3 +86,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md index 18ddd06906..71897ec183 100644 --- a/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md +++ b/windows/client-management/mdm/policy-csp-admx-fileservervssprovider.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FileServerVSSProvider -description: Policy CSP - ADMX_FileServerVSSProvider +description: Learn about the Policy CSP - ADMX_FileServerVSSProvider. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -86,3 +87,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-filesys.md b/windows/client-management/mdm/policy-csp-admx-filesys.md index ab0c455e6b..0e4f4f4725 100644 --- a/windows/client-management/mdm/policy-csp-admx-filesys.md +++ b/windows/client-management/mdm/policy-csp-admx-filesys.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FileSys -description: Policy CSP - ADMX_FileSys +description: Learn about the Policy CSP - ADMX_FileSys. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -62,8 +62,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -99,12 +100,12 @@ ADMX Info: **ADMX_FileSys/DisableDeleteNotification** - |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -146,8 +147,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -164,8 +166,9 @@ ADMX Info: -Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files. +Encryption can add to the processing overhead of filesystem operations. +Enabling this setting will prevent access to and creation of encrypted files. ADMX Info: @@ -184,8 +187,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -202,7 +206,9 @@ ADMX Info: -Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted. +Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. + +Enabling this setting will cause the page files to be encrypted. @@ -223,8 +229,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -241,7 +248,9 @@ ADMX Info: -Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to be accessible within the process. +Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal 260 character limit per node on file systems that support it. + +Enabling this setting will cause the long paths to be accessible within the process. @@ -262,8 +271,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -282,7 +292,9 @@ ADMX Info: This policy setting provides control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. -If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume. +If you enable short names on all volumes, then short names will always be generated. If you disable them on all volumes, then they'll never be generated. If you set short name creation to be configurable on a per volume basis, then an on-disk flag will determine whether or not short names are created on a given volume. + +If you disable short name creation on all data volumes, then short names will only be generated for files created on the system volume. @@ -304,8 +316,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -353,8 +366,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -390,3 +404,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-folderredirection.md b/windows/client-management/mdm/policy-csp-admx-folderredirection.md index cebe91fbd3..fc2f29a559 100644 --- a/windows/client-management/mdm/policy-csp-admx-folderredirection.md +++ b/windows/client-management/mdm/policy-csp-admx-folderredirection.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FolderRedirection -description: Policy CSP - ADMX_FolderRedirection +description: Learn about the Policy CSP - ADMX_FolderRedirection. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -60,8 +60,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -111,8 +112,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -161,8 +163,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -206,8 +209,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -254,8 +258,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -301,8 +306,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -350,8 +356,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -395,3 +402,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md index 4b83f0c105..ba90f4137d 100644 --- a/windows/client-management/mdm/policy-csp-admx-framepanes.md +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FramePanes -description: Policy CSP - ADMX_FramePanes +description: Learn about the Policy CSP - ADMX_FramePanes. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -63,14 +64,14 @@ manager: dansimp This policy setting shows or hides the Details Pane in File Explorer. -- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user. +If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and can't be turned on by the user. -- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user. +If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and can't be hidden by the user. > [!NOTE] > This has a side effect of not being able to toggle to the Preview Pane since the two can't be displayed at the same time. -- If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. +If you disable, or don't configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. This setting is the default policy setting. @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -114,9 +116,9 @@ ADMX Info: Hides the Preview Pane in File Explorer. -- If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user. +If you enable this policy setting, the Preview Pane in File Explorer is hidden and can't be turned on by the user. -- If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user. +If you disable, or don't configure this setting, the Preview Pane is hidden by default and can be displayed by the user. @@ -132,3 +134,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md index 3cf5694548..a87f70ce8d 100644 --- a/windows/client-management/mdm/policy-csp-admx-fthsvc.md +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_FTHSVC -description: Policy CSP - ADMX_FTHSVC +description: Learn about the Policy CSP - ADMX_FTHSVC. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -62,12 +63,14 @@ manager: dansimp This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. -- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. +If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. -- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. -If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. -This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. -This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +If you disable this policy setting, Windows can't detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. + +If you don't configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. + +This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured. +This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. @@ -87,3 +90,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md index 45623d01c7..7483d618f1 100644 --- a/windows/client-management/mdm/policy-csp-admx-globalization.md +++ b/windows/client-management/mdm/policy-csp-admx-globalization.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Globalization -description: Policy CSP - ADMX_Globalization +description: Learn about the Policy CSP - ADMX_Globalization. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -112,8 +112,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -134,9 +135,9 @@ This policy prevents automatic copying of user input methods to the system accou This confinement doesn't affect the availability of user input methods on the lock screen or with the UAC prompt. -If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page. +If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page. -If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page. +If the policy is disabled or not configured, then the user will be able to use input methods enabled for their user account on the sign-in page. @@ -160,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -213,8 +215,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -266,8 +269,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -319,8 +323,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -369,8 +374,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -418,8 +424,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -465,8 +472,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -490,7 +498,7 @@ Automatic learning enables the collection and storage of text and ink written by > [!NOTE] > Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. -If you enable this policy setting, automatic learning stops and any stored data is deleted. Users can't configure this setting in Control Panel. +If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. @@ -524,8 +532,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -549,7 +558,7 @@ Automatic learning enables the collection and storage of text and ink written by > [!NOTE] > Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. For more information, see Tablet PC Help. -If you enable this policy setting, automatic learning stops and any stored data is deleted. Users can't configure this setting in Control Panel. +If you enable this policy setting, automatic learning stops and any stored data are deleted. Users can't configure this setting in Control Panel. If you disable this policy setting, automatic learning is turned on. Users can't configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on. @@ -583,8 +592,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -630,8 +640,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -679,8 +690,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -730,8 +742,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -777,8 +790,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -826,8 +840,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -875,8 +890,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -924,8 +940,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -977,8 +994,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1030,8 +1048,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1077,8 +1096,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1099,9 +1119,9 @@ This policy turns off the autocorrect misspelled words option. This turn off doe The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected. -If the policy is Enabled, then the option will be locked to not autocorrect misspelled words. +If the policy is enabled, then the option will be locked to not autocorrect misspelled words. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. The availability and function of this setting is dependent on supported languages being enabled. @@ -1125,8 +1145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1147,9 +1168,9 @@ This policy turns off the highlight misspelled words option. This turn off doesn The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted. -If the policy is Enabled, then the option will be locked to not highlight misspelled words. +If the policy is enabled, then the option will be locked to not highlight misspelled words. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. The availability and function of this setting is dependent on supported languages being enabled. @@ -1174,8 +1195,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1196,9 +1218,9 @@ This policy turns off the insert a space after selecting a text prediction optio The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard. -If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction. +If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. The availability and function of this setting is dependent on supported languages being enabled. @@ -1222,8 +1244,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1244,9 +1267,9 @@ This policy turns off the offer text predictions as I type option. This turn off The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. -If the policy is Enabled, then the option will be locked to not offer text predictions. +If the policy is enabled, then the option will be locked to not offer text predictions. -If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference. +If the policy is disabled or not configured, then the user will be free to change the setting according to their preference. The availability and function of this setting is dependent on supported languages being enabled. @@ -1271,8 +1294,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1312,4 +1336,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md index f3e83e48f1..9b8a2007ca 100644 --- a/windows/client-management/mdm/policy-csp-admx-grouppolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-grouppolicy.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_GroupPolicy -description: Policy CSP - ADMX_GroupPolicy +description: Learn about the Policy CSP - ADMX_GroupPolicy. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -168,8 +168,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -224,8 +225,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -276,8 +278,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -330,8 +333,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -384,8 +388,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -436,8 +441,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -490,8 +496,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -544,8 +551,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -594,8 +602,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -646,8 +655,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -698,8 +708,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -754,8 +765,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -810,8 +822,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -856,8 +869,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -911,8 +925,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -966,8 +981,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1008,8 +1024,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1065,8 +1082,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1114,8 +1132,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1165,8 +1184,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1219,8 +1239,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1267,8 +1288,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1317,8 +1339,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1367,8 +1390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1415,8 +1439,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1468,8 +1493,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1512,8 +1538,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1567,8 +1594,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1624,8 +1652,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1681,8 +1710,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1705,7 +1735,7 @@ In addition to background updates, Group Policy for the computer is always updat By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy. @@ -1740,8 +1770,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1762,7 +1793,7 @@ This policy setting specifies how often Group Policy is updated on domain contro By default, Group Policy on the domain controllers is updated every five minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. If you disable or don't configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. @@ -1793,8 +1824,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1817,7 +1849,7 @@ In addition to background updates, Group Policy for users is always updated when By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. -If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations. +If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, short update intervals aren't appropriate for most installations. If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting. @@ -1854,8 +1886,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1906,8 +1939,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1954,8 +1988,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2000,8 +2035,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2025,7 +2061,6 @@ By default, when you edit a Group Policy Object (GPO) using the Group Policy Obj This edit-option leads to the following behavior: - If you originally created the GPO with, for example, an English system, the GPO contains English ADM files. - - If you later edit the GPO from a different-language system, you get the English ADM files as they were in the GPO. You can change this behavior by using this setting. @@ -2034,7 +2069,7 @@ If you enable this setting, the Group Policy Object Editor snap-in always uses l This pattern leads to the following behavior: -- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. +If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates. If you disable or don't configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO. @@ -2063,8 +2098,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2084,21 +2120,15 @@ ADMX Info: This security feature provides a means to override individual process MitigationOptions settings. This security feature can be used to enforce many security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are: -PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001) -Enables data execution prevention (DEP) for the child process +PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001): Enables data execution prevention (DEP) for the child process -PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) -Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. +PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002): Enables DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Template Library (ATL) thunk layer. -PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004) -Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. +PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004): Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. -PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) -The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded. +PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100): The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded. -PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) -PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) -The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. +PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000),PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000): The bottom-up randomization policy, which includes stack randomization options, causes a random location to be used as the lowest user address. For instance, to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON, disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF, and to leave all other options at their default values, specify a value of: ???????????????0???????1???????1 @@ -2127,8 +2157,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2178,8 +2209,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2220,8 +2252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2271,8 +2304,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2325,8 +2359,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2371,8 +2406,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2391,13 +2427,12 @@ ADMX Info: This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who signs in to a computer affected by this setting. It's intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. -By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. +By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies. If you enable this setting, you can select one of the following modes from the Mode box: -"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. - -"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. +- "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user. +- "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings. If you disable this setting or don't configure it, the user's Group Policy Objects determines which user settings apply. @@ -2419,4 +2454,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-help.md b/windows/client-management/mdm/policy-csp-admx-help.md index 3bdf5aa985..603e13fa68 100644 --- a/windows/client-management/mdm/policy-csp-admx-help.md +++ b/windows/client-management/mdm/policy-csp-admx-help.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Help -description: Policy CSP - ADMX_Help +description: Learn about the Policy CSP - ADMX_Help. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -22,7 +22,7 @@ manager: dansimp
    - ## ADMX_Help policies
    @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -82,7 +83,7 @@ If you disable or don't configure this policy setting, DEP is turned on for HTML ADMX Info: -- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executible* +- GP Friendly name: *Turn off Data Execution Prevention for HTML Help Executable* - GP name: *DisableHHDEP* - GP path: *System* - GP ADMX file name: *Help.admx* @@ -99,8 +100,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -159,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -210,8 +213,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -256,3 +260,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md index 806207275f..d1db72afc5 100644 --- a/windows/client-management/mdm/policy-csp-admx-helpandsupport.md +++ b/windows/client-management/mdm/policy-csp-admx-helpandsupport.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_HelpAndSupport -description: Policy CSP - ADMX_HelpAndSupport +description: Learn about the Policy CSP - ADMX_HelpAndSupport. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,9 +72,9 @@ manager: dansimp This policy setting specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. -If you enable this policy setting, active content links are not rendered. The text is displayed, but there are no clickable links for these elements. +If you enable this policy setting, active content links aren't rendered. The text is displayed, but there are no clickable links for these elements. -If you disable or do not configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). +If you disable or don't configure this policy setting, the default behavior applies (Help viewer renders trusted assistance content with active elements). @@ -97,8 +98,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -117,9 +119,9 @@ ADMX Info: This policy setting specifies whether users can provide ratings for Help content. -If you enable this policy setting, ratings controls are not added to Help content. +If you enable this policy setting, ratings controls aren't added to Help content. -If you disable or do not configure this policy setting, ratings controls are added to Help topics. +If you disable or don't configure this policy setting, ratings controls are added to Help topics. Users can use the control to provide feedback on the quality and usefulness of the Help and Support content. @@ -144,8 +146,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -164,9 +167,9 @@ ADMX Info: This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. -If you enable this policy setting, users cannot participate in the Help Experience Improvement program. +If you enable this policy setting, users can't participate in the Help Experience Improvement program. -If you disable or do not configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. +If you disable or don't configure this policy setting, users can turn on the Help Experience Improvement program feature from the Help and Support settings page. @@ -190,8 +193,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -212,7 +216,7 @@ This policy setting specifies whether users can search and view content from Win If you enable this policy setting, users are prevented from accessing online assistance content from Windows Online. -If you disable or do not configure this policy setting, users can access online assistance if they have a connection to the Internet and have not disabled Windows Online from the Help and Support Options page. +If you disable or don't configure this policy setting, users can access online assistance if they have a connection to the Internet and haven't disabled Windows Online from the Help and Support Options page. @@ -232,3 +236,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md index bf33f5110d..48356bdf1a 100644 --- a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_HotSpotAuth -description: Policy CSP - ADMX_HotSpotAuth +description: Learn about the Policy CSP - ADMX_HotSpotAuth. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -66,9 +67,9 @@ This policy setting defines whether WLAN hotspots are probed for Wireless Intern - If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. -- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. +- If you enable this policy setting, or if you don't configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. -- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. +- If you disable this policy setting, WLAN hotspots aren't probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. @@ -87,3 +88,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-icm.md b/windows/client-management/mdm/policy-csp-admx-icm.md index 2f9b7183ac..c80b5b8007 100644 --- a/windows/client-management/mdm/policy-csp-admx-icm.md +++ b/windows/client-management/mdm/policy-csp-admx-icm.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_ICM -description: Policy CSP - ADMX_ICM +description: Learn about the Policy CSP - ADMX_ICM. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -117,8 +117,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -165,8 +166,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -213,8 +215,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -264,8 +267,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -317,8 +321,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -370,8 +375,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -420,8 +426,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -470,8 +477,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -518,8 +526,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -566,8 +575,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -613,8 +623,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -659,8 +670,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -707,8 +719,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -759,8 +772,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -808,8 +822,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -859,8 +874,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -907,8 +923,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -955,8 +972,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1003,8 +1021,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1051,8 +1070,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1099,8 +1119,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1145,8 +1166,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1193,8 +1215,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1239,8 +1262,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1287,8 +1311,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1337,8 +1362,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1384,3 +1410,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md index 424b4a38f2..c68c2b9d10 100644 --- a/windows/client-management/mdm/policy-csp-admx-iis.md +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_IIS -description: Policy CSP - ADMX_IIS +description: Learn about the Policy CSP - ADMX_IIS. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -62,11 +63,11 @@ manager: dansimp This policy setting prevents installation of Internet Information Services (IIS) on this computer. -- If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting. +If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting. -Enabling this setting won't have any effect on IIS if IIS is already installed on the computer. +Enabling this setting won't have any effect on IIS, if IIS is already installed on the computer. -- If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run." +If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run." @@ -86,3 +87,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-iscsi.md b/windows/client-management/mdm/policy-csp-admx-iscsi.md index c9465d3231..67786a4e35 100644 --- a/windows/client-management/mdm/policy-csp-admx-iscsi.md +++ b/windows/client-management/mdm/policy-csp-admx-iscsi.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_iSCSI -description: Policy CSP - ADMX_iSCSI +description: Learn about the Policy CSP - ADMX_iSCSI. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -49,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -136,8 +138,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -175,3 +178,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-kdc.md b/windows/client-management/mdm/policy-csp-admx-kdc.md index 1173ca86f8..5ea252a9f3 100644 --- a/windows/client-management/mdm/policy-csp-admx-kdc.md +++ b/windows/client-management/mdm/policy-csp-admx-kdc.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_kdc -description: Policy CSP - ADMX_kdc +description: Learn about the Policy CSP - ADMX_kdc. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -13,6 +13,7 @@ manager: dansimp --- # Policy CSP - ADMX_kdc + >[!TIP] > These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -57,8 +58,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,7 +108,7 @@ Impact on domain controller performance when this policy setting is enabled: - Secure Kerberos domain capability discovery is required, resulting in more message exchanges. - Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size. -- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which results in increased processing time, but doesn't change the service ticket size. +- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which result in increased processing time, but doesn't change the service ticket size. @@ -130,8 +132,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -178,8 +181,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -230,8 +234,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -279,8 +284,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -325,8 +331,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -372,3 +379,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-kerberos.md b/windows/client-management/mdm/policy-csp-admx-kerberos.md index 998eb8189d..a70fa508b8 100644 --- a/windows/client-management/mdm/policy-csp-admx-kerberos.md +++ b/windows/client-management/mdm/policy-csp-admx-kerberos.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_Kerberos -description: Policy CSP - ADMX_Kerberos +description: Learn about the Policy CSP - ADMX_Kerberos. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -13,6 +13,7 @@ manager: dansimp --- # Policy CSP - ADMX_Kerberos + >[!TIP] > These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -63,8 +64,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -112,8 +114,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -165,8 +168,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -213,8 +217,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -261,8 +266,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -307,8 +313,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -355,8 +362,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -409,8 +417,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -449,3 +458,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md index a905d94c9a..4baef48f3a 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanserver.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanserver.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_LanmanServer -description: Policy CSP - ADMX_LanmanServer +description: Learn about the Policy CSP - ADMX_LanmanServer. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -13,6 +13,7 @@ manager: dansimp --- # Policy CSP - ADMX_LanmanServer + >[!TIP] > These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -51,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -117,8 +119,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -177,8 +180,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -199,9 +203,7 @@ This policy setting specifies whether the BranchCache hash generation service su If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. -Policy configuration - -Select one of the following options: +For policy configuration, select one of the following options: - Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. - Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved. @@ -237,8 +239,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -282,3 +285,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) diff --git a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md index 8fcfe9af1e..1459422b9a 100644 --- a/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_LanmanWorkstation -description: Policy CSP - ADMX_LanmanWorkstation +description: Learn about the Policy CSP - ADMX_LanmanWorkstation. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -13,6 +13,7 @@ manager: dansimp --- # Policy CSP - ADMX_LanmanWorkstation + >[!TIP] > These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > @@ -48,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -115,8 +117,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -164,8 +167,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -207,4 +211,8 @@ ADMX Info: - \ No newline at end of file + + +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md index a362e05ab9..abf93f8dcf 100644 --- a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -1,6 +1,6 @@ --- title: Policy CSP - ADMX_LeakDiagnostic -description: Policy CSP - ADMX_LeakDiagnostic +description: Learn about the Policy CSP - ADMX_LeakDiagnostic. ms.author: dansimp ms.localizationpriority: medium ms.topic: article @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -62,13 +63,13 @@ manager: dansimp This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. -- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. +If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. -- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. +If you disable or don't configure this policy setting, Windows displays the default alert text in the disk diagnostic message. No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. -This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios aren't executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. @@ -94,3 +95,6 @@ ADMX Info: +## Related topics + +[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md index 7cddcc7cb6..8af8087093 100644 --- a/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md +++ b/windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md index e842530d5b..34d7b1561d 100644 --- a/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md +++ b/windows/client-management/mdm/policy-csp-admx-locationprovideradm.md @@ -45,8 +45,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-logon.md b/windows/client-management/mdm/policy-csp-admx-logon.md index 00056b7db9..39410f580e 100644 --- a/windows/client-management/mdm/policy-csp-admx-logon.md +++ b/windows/client-management/mdm/policy-csp-admx-logon.md @@ -85,8 +85,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -130,8 +131,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -176,8 +178,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,8 +228,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -274,8 +278,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -327,8 +332,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -380,8 +386,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -426,8 +433,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -472,8 +480,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -529,8 +538,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -583,8 +593,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -636,8 +647,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -690,8 +702,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -754,8 +767,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -800,8 +814,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 15219dd17a..b600ea3664 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -318,8 +318,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -364,8 +365,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -414,8 +416,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -460,8 +463,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -511,8 +515,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -557,8 +562,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -605,8 +611,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -651,8 +658,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -693,8 +701,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -737,8 +746,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -779,8 +789,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -836,8 +847,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -909,8 +921,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -968,8 +981,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1028,8 +1042,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1079,8 +1094,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1125,8 +1141,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1167,8 +1184,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1213,8 +1231,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1259,8 +1278,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1311,8 +1331,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1363,8 +1384,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1409,8 +1431,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1455,8 +1478,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1501,8 +1525,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1547,8 +1572,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1593,8 +1619,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1639,8 +1666,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1685,8 +1713,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1731,8 +1760,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1777,8 +1807,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1823,8 +1854,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1869,8 +1901,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1915,8 +1948,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1961,8 +1995,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2007,8 +2042,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2053,8 +2089,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2111,8 +2148,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2157,8 +2195,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2199,8 +2238,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2241,8 +2281,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2286,8 +2327,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2332,8 +2374,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2372,8 +2415,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2414,8 +2458,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2456,8 +2501,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2505,8 +2551,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2551,8 +2598,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2597,8 +2645,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2644,8 +2693,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2690,8 +2740,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2736,8 +2787,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2782,8 +2834,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2828,8 +2881,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2874,8 +2928,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2920,8 +2975,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2965,8 +3021,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3011,8 +3068,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3057,8 +3115,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3103,8 +3162,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3149,8 +3209,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3195,8 +3256,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3241,8 +3303,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3287,8 +3350,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3333,8 +3397,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3379,8 +3444,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3425,8 +3491,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3471,8 +3538,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3517,8 +3585,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3575,8 +3644,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3621,8 +3691,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3667,8 +3738,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3715,8 +3787,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3761,8 +3834,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3807,8 +3881,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3853,8 +3928,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3899,8 +3975,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3945,8 +4022,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3993,8 +4071,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4039,8 +4118,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4085,8 +4165,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4143,8 +4224,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4189,8 +4271,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4233,8 +4316,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4279,8 +4363,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4325,8 +4410,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4371,8 +4457,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4431,8 +4518,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4478,8 +4566,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4526,8 +4615,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4572,8 +4662,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4618,8 +4709,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4662,8 +4754,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-mmc.md b/windows/client-management/mdm/policy-csp-admx-mmc.md index 2702409921..66f7ee9fa5 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmc.md +++ b/windows/client-management/mdm/policy-csp-admx-mmc.md @@ -54,8 +54,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -110,8 +111,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -166,8 +168,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -222,8 +225,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -272,8 +276,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md index 8ff8e4f1fc..42d6a7faa7 100644 --- a/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md +++ b/windows/client-management/mdm/policy-csp-admx-mmcsnapins.md @@ -351,8 +351,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -405,8 +406,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -460,8 +462,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -515,8 +518,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -570,8 +574,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -625,8 +630,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -680,8 +686,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -735,8 +742,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -790,8 +798,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -845,8 +854,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -900,8 +910,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -955,8 +966,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1009,8 +1021,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1063,8 +1076,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1117,8 +1131,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1171,8 +1186,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1225,8 +1241,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1279,8 +1296,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1333,8 +1351,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1387,8 +1406,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1441,8 +1461,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1495,8 +1516,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1549,8 +1571,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1603,8 +1626,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1657,8 +1681,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1711,8 +1736,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1765,8 +1791,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1819,8 +1846,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1873,8 +1901,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1928,8 +1957,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1982,8 +2012,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2036,8 +2067,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2090,8 +2122,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2144,8 +2177,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2198,8 +2232,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2252,8 +2287,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2306,8 +2342,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2360,8 +2397,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2416,8 +2454,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2470,8 +2509,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2524,8 +2564,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2578,8 +2619,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2632,8 +2674,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2686,8 +2729,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2740,8 +2784,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2794,8 +2839,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2848,8 +2894,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2902,8 +2949,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2956,8 +3004,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3010,8 +3059,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3064,8 +3114,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3118,8 +3169,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3172,8 +3224,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3226,8 +3279,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3280,8 +3334,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3334,8 +3389,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3388,8 +3444,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3442,8 +3499,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3496,8 +3554,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3550,8 +3609,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3604,8 +3664,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3658,8 +3719,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3712,8 +3774,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3766,8 +3829,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3820,8 +3884,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3874,8 +3939,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3928,8 +3994,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3982,8 +4049,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4036,8 +4104,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4090,8 +4159,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4144,8 +4214,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4198,8 +4269,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4252,8 +4324,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4306,8 +4379,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4360,8 +4434,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4414,8 +4489,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4468,8 +4544,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4522,8 +4599,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4576,8 +4654,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4630,8 +4709,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4684,8 +4764,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4738,8 +4819,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4792,8 +4874,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4846,8 +4929,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4900,8 +4984,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4954,8 +5039,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5008,8 +5094,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5062,8 +5149,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5116,8 +5204,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5170,8 +5259,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5224,8 +5314,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5278,8 +5369,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5332,8 +5424,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5386,8 +5479,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5440,8 +5534,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5494,8 +5589,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5548,8 +5644,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5602,8 +5699,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5656,8 +5754,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5710,8 +5809,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5764,8 +5864,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5818,8 +5919,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5872,8 +5974,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5926,8 +6029,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5980,8 +6084,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md index 34f7bcbfc2..5beff76d0e 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcmobilitycenter.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md index c9cd0dfc84..382e64f23d 100644 --- a/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md +++ b/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings.md @@ -47,8 +47,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,8 +101,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-msapolicy.md b/windows/client-management/mdm/policy-csp-admx-msapolicy.md index 28951a0ef8..e95aac830e 100644 --- a/windows/client-management/mdm/policy-csp-admx-msapolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-msapolicy.md @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-msched.md b/windows/client-management/mdm/policy-csp-admx-msched.md index 3a580b4655..a3e9d15464 100644 --- a/windows/client-management/mdm/policy-csp-admx-msched.md +++ b/windows/client-management/mdm/policy-csp-admx-msched.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,8 +93,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-msdt.md b/windows/client-management/mdm/policy-csp-admx-msdt.md index 618c6a4ae9..01e72fdc64 100644 --- a/windows/client-management/mdm/policy-csp-admx-msdt.md +++ b/windows/client-management/mdm/policy-csp-admx-msdt.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,8 +101,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -164,8 +166,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md index a0cd0f78dc..af31120c3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-msi.md +++ b/windows/client-management/mdm/policy-csp-admx-msi.md @@ -110,8 +110,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -161,8 +162,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -212,8 +214,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -260,8 +263,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -313,8 +317,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -366,8 +371,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -413,8 +419,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -464,8 +471,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -517,8 +525,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -568,8 +577,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -620,8 +630,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -668,8 +679,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -717,8 +729,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -764,8 +777,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -814,8 +828,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -864,8 +879,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -914,8 +930,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -962,8 +979,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1010,8 +1028,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1063,8 +1082,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1116,8 +1136,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1163,8 +1184,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1212,8 +1234,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1265,8 +1288,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md index 2c849e4760..54717a8f50 100644 --- a/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md +++ b/windows/client-management/mdm/policy-csp-admx-msifilerecovery.md @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md index e9ade41d39..2b520f4ec5 100644 --- a/windows/client-management/mdm/policy-csp-admx-nca.md +++ b/windows/client-management/mdm/policy-csp-admx-nca.md @@ -63,8 +63,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -119,8 +120,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -161,8 +163,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,8 +212,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -253,8 +257,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -306,8 +311,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -349,8 +355,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -395,8 +402,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 1c77cc3924..41bfae8db7 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -61,8 +61,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -102,8 +103,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -144,8 +146,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -186,8 +189,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -231,8 +235,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -273,8 +278,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -315,8 +321,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md index 69d1b2b128..517f41ab17 100644 --- a/windows/client-management/mdm/policy-csp-admx-netlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md @@ -145,8 +145,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -199,8 +200,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -250,8 +252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -300,8 +303,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -352,8 +356,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -404,8 +409,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -454,8 +460,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -507,8 +514,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -559,8 +567,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -614,8 +623,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -671,8 +681,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -720,8 +731,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -764,8 +776,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -816,8 +829,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -892,8 +906,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -945,8 +960,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -998,8 +1014,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1045,8 +1062,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1093,8 +1111,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1145,8 +1164,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1195,8 +1215,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1248,8 +1269,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1298,8 +1320,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1348,8 +1371,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1396,8 +1420,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1446,8 +1471,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1495,8 +1521,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1550,8 +1577,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1596,8 +1624,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1651,8 +1680,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1705,8 +1735,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1755,8 +1786,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1805,8 +1837,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1860,8 +1893,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1912,8 +1946,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-networkconnections.md b/windows/client-management/mdm/policy-csp-admx-networkconnections.md index fb57335deb..210fdcd3ca 100644 --- a/windows/client-management/mdm/policy-csp-admx-networkconnections.md +++ b/windows/client-management/mdm/policy-csp-admx-networkconnections.md @@ -121,8 +121,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -178,8 +179,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -231,8 +233,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -289,8 +292,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -342,8 +346,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -401,8 +406,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -458,8 +464,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -508,8 +515,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -554,8 +562,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -606,8 +615,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -656,8 +666,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -702,8 +713,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -763,8 +775,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -816,8 +829,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -871,8 +885,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -924,8 +939,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -979,8 +995,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1038,8 +1055,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1097,8 +1115,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1145,8 +1164,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1202,8 +1222,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1259,8 +1280,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1314,8 +1336,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1367,8 +1390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1420,8 +1444,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1479,8 +1504,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1529,8 +1555,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index f07a5e91bc..7d60db6150 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -178,8 +178,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -226,8 +227,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -277,8 +279,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -328,8 +331,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -376,8 +380,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -434,8 +439,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -494,8 +500,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -554,8 +561,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -611,8 +619,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -662,8 +671,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -716,8 +726,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -773,8 +784,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -827,8 +839,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -873,8 +886,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -924,8 +938,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -985,8 +1000,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1046,8 +1062,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1097,8 +1114,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1148,8 +1166,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1199,8 +1218,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1250,8 +1270,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1300,8 +1321,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1350,8 +1372,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1404,8 +1427,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1458,8 +1482,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1515,8 +1540,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1572,8 +1598,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1622,8 +1649,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1670,8 +1698,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1719,8 +1748,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1765,8 +1795,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1816,8 +1847,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1867,8 +1899,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1913,8 +1946,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1959,8 +1993,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2005,8 +2040,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2051,8 +2087,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2107,8 +2144,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2157,8 +2195,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2212,8 +2251,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2267,8 +2307,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2324,8 +2365,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2379,8 +2421,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2428,8 +2471,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2477,8 +2521,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2523,8 +2568,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2569,8 +2615,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-pca.md b/windows/client-management/mdm/policy-csp-admx-pca.md index 42ba7c4f46..21b21c87e2 100644 --- a/windows/client-management/mdm/policy-csp-admx-pca.md +++ b/windows/client-management/mdm/policy-csp-admx-pca.md @@ -61,8 +61,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -113,8 +114,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -158,8 +160,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -199,8 +202,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -241,8 +245,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -285,8 +290,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -329,8 +335,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md index 34ba4b459a..7218cc97d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md +++ b/windows/client-management/mdm/policy-csp-admx-peertopeercaching.md @@ -66,8 +66,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,8 +122,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -174,8 +176,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -233,8 +236,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -295,8 +299,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -353,8 +358,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -405,8 +411,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -464,8 +471,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -520,8 +528,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-pentraining.md b/windows/client-management/mdm/policy-csp-admx-pentraining.md index 4c76a42a3e..faf9afb98a 100644 --- a/windows/client-management/mdm/policy-csp-admx-pentraining.md +++ b/windows/client-management/mdm/policy-csp-admx-pentraining.md @@ -45,8 +45,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -91,8 +92,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md index 9cc9e2323e..18ce028bb6 100644 --- a/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md +++ b/windows/client-management/mdm/policy-csp-admx-performancediagnostics.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -107,8 +108,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -161,8 +163,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -215,8 +218,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md index 86b4d9bd92..d77be55b2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-power.md +++ b/windows/client-management/mdm/policy-csp-admx-power.md @@ -115,8 +115,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,8 +164,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,8 +211,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -259,8 +262,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -305,8 +309,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -351,8 +356,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -397,8 +403,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -443,8 +450,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -489,8 +497,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -540,8 +549,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -591,8 +601,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -639,8 +650,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -689,8 +701,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -737,8 +750,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -785,8 +799,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -831,8 +846,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -881,8 +897,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -927,8 +944,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -973,8 +991,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1025,8 +1044,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1073,8 +1093,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1121,8 +1142,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1167,8 +1189,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1213,8 +1236,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1259,8 +1283,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md index 34ae8db19f..d9933722cc 100644 --- a/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md +++ b/windows/client-management/mdm/policy-csp-admx-powershellexecutionpolicy.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,8 +105,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,8 +158,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -208,8 +211,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-previousversions.md b/windows/client-management/mdm/policy-csp-admx-previousversions.md index aa6509eeeb..cb7bb6a236 100644 --- a/windows/client-management/mdm/policy-csp-admx-previousversions.md +++ b/windows/client-management/mdm/policy-csp-admx-previousversions.md @@ -65,8 +65,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -112,8 +113,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -159,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -206,8 +209,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -254,8 +258,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -300,8 +305,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -346,8 +352,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -393,8 +400,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-printing.md b/windows/client-management/mdm/policy-csp-admx-printing.md index 869b0f1663..fa322d02d0 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing.md +++ b/windows/client-management/mdm/policy-csp-admx-printing.md @@ -119,8 +119,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -172,8 +173,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,8 +227,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -279,8 +282,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -326,8 +330,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -386,8 +391,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -435,8 +441,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -492,8 +499,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -536,8 +544,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -586,8 +595,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -636,8 +646,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -684,8 +695,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -730,8 +742,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -778,8 +791,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -835,8 +849,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -881,8 +896,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -927,8 +943,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -977,8 +994,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1027,8 +1045,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1077,8 +1096,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1125,8 +1145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1176,8 +1197,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1227,8 +1249,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1275,8 +1298,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1328,8 +1352,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1377,8 +1402,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-printing2.md b/windows/client-management/mdm/policy-csp-admx-printing2.md index a7e0cdbfe7..74159d9d3c 100644 --- a/windows/client-management/mdm/policy-csp-admx-printing2.md +++ b/windows/client-management/mdm/policy-csp-admx-printing2.md @@ -67,8 +67,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -118,8 +119,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -169,8 +171,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,8 +230,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -280,8 +284,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -331,8 +336,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -384,8 +390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -435,8 +442,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -483,8 +491,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-programs.md b/windows/client-management/mdm/policy-csp-admx-programs.md index 129d6e7fe7..681645a684 100644 --- a/windows/client-management/mdm/policy-csp-admx-programs.md +++ b/windows/client-management/mdm/policy-csp-admx-programs.md @@ -61,8 +61,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -110,8 +111,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,8 +165,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -211,8 +214,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -257,8 +261,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -307,8 +312,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -353,8 +359,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md index d24d8ded60..4e6309ff2a 100644 --- a/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md +++ b/windows/client-management/mdm/policy-csp-admx-pushtoinstall.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-radar.md b/windows/client-management/mdm/policy-csp-admx-radar.md index b9b78697d6..dc01eef4a8 100644 --- a/windows/client-management/mdm/policy-csp-admx-radar.md +++ b/windows/client-management/mdm/policy-csp-admx-radar.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index 006b2c772d..fd6026410b 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,8 +105,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,8 +158,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,8 +212,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md index 31a892b671..46d52c8807 100644 --- a/windows/client-management/mdm/policy-csp-admx-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-admx-remoteassistance.md @@ -45,8 +45,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-removablestorage.md b/windows/client-management/mdm/policy-csp-admx-removablestorage.md index 7ce8e84d8f..2c559d99c8 100644 --- a/windows/client-management/mdm/policy-csp-admx-removablestorage.md +++ b/windows/client-management/mdm/policy-csp-admx-removablestorage.md @@ -135,8 +135,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -184,8 +185,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -233,8 +235,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -279,8 +282,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -324,8 +328,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -370,8 +375,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -416,8 +422,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -462,8 +469,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -508,8 +516,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -554,8 +563,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -599,8 +609,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -644,8 +655,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -689,8 +701,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -734,8 +747,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -779,8 +793,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -823,8 +838,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -868,8 +884,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -912,8 +929,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -957,8 +975,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1001,8 +1020,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1049,8 +1069,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1096,8 +1117,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1143,8 +1165,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1188,8 +1211,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1233,8 +1257,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1277,8 +1302,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1322,8 +1348,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1366,8 +1393,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1411,8 +1439,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1456,8 +1485,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1500,8 +1530,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1545,8 +1576,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md index 24ee32b891..4298af2621 100644 --- a/windows/client-management/mdm/policy-csp-admx-rpc.md +++ b/windows/client-management/mdm/policy-csp-admx-rpc.md @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -116,8 +117,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -174,8 +176,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -231,8 +234,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 46d2eeb48e..430c0d6f48 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -75,8 +75,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,8 +122,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -173,8 +175,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -242,8 +245,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -292,8 +296,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -340,8 +345,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -388,8 +394,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -436,8 +443,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -484,8 +492,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -532,8 +541,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -583,8 +593,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -634,8 +645,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index 5b902e0ec5..17ca6fbf33 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -143,8 +145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md index 31c0354809..6f371c240a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiagschd.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiagschd.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 92746a10df..5be970f2f5 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-sensors.md b/windows/client-management/mdm/policy-csp-admx-sensors.md index 560b651c17..a3aa6e151f 100644 --- a/windows/client-management/mdm/policy-csp-admx-sensors.md +++ b/windows/client-management/mdm/policy-csp-admx-sensors.md @@ -54,8 +54,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,8 +101,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -146,8 +148,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -192,8 +195,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -238,8 +242,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-servermanager.md b/windows/client-management/mdm/policy-csp-admx-servermanager.md index 8bb98497e4..76207bded4 100644 --- a/windows/client-management/mdm/policy-csp-admx-servermanager.md +++ b/windows/client-management/mdm/policy-csp-admx-servermanager.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,8 +105,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -154,8 +156,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -202,8 +205,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index a995b45573..f891376217 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -37,8 +37,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-settingsync.md b/windows/client-management/mdm/policy-csp-admx-settingsync.md index 9d61845ecc..cbb3b966d6 100644 --- a/windows/client-management/mdm/policy-csp-admx-settingsync.md +++ b/windows/client-management/mdm/policy-csp-admx-settingsync.md @@ -66,8 +66,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -114,8 +115,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -162,8 +164,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -210,8 +213,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -258,8 +262,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -306,8 +311,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -354,8 +360,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -402,8 +409,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -448,8 +456,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 08337cd9ac..934216e1eb 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -44,8 +44,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index 72af1e5fd1..893de2b78c 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -41,8 +41,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index d9a9efabdf..c0a99683df 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -105,8 +106,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -153,8 +155,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -205,8 +208,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 089c628ab8..e694a787d9 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -87,8 +87,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -139,8 +140,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -187,8 +189,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -233,8 +236,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -281,8 +285,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -327,8 +332,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -369,8 +375,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -418,8 +425,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -467,8 +475,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -516,8 +525,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -569,8 +579,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -617,8 +628,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -666,8 +678,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -714,8 +727,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -763,8 +777,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -812,8 +827,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 528ebac188..93807f7856 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,8 +107,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,8 +165,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-soundrec.md b/windows/client-management/mdm/policy-csp-admx-soundrec.md index 1609eb9c33..32c6742cfd 100644 --- a/windows/client-management/mdm/policy-csp-admx-soundrec.md +++ b/windows/client-management/mdm/policy-csp-admx-soundrec.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,8 +93,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-srmfci.md b/windows/client-management/mdm/policy-csp-admx-srmfci.md index 325fd93379..62e38da1e0 100644 --- a/windows/client-management/mdm/policy-csp-admx-srmfci.md +++ b/windows/client-management/mdm/policy-csp-admx-srmfci.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -88,8 +89,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md index f89c8f56d9..408f2231a6 100644 --- a/windows/client-management/mdm/policy-csp-admx-startmenu.md +++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md @@ -240,8 +240,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -286,8 +287,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -343,8 +345,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -387,8 +390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -433,8 +437,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -479,8 +484,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -527,8 +533,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -582,8 +589,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -630,8 +638,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -681,8 +690,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -727,8 +737,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -778,8 +789,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -829,8 +841,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -875,8 +888,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -925,8 +939,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -973,8 +988,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1019,8 +1035,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1068,8 +1085,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1114,8 +1132,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1167,8 +1186,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1220,8 +1240,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1264,8 +1285,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1312,8 +1334,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1362,8 +1385,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1413,8 +1437,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1465,8 +1490,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1511,8 +1537,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1568,8 +1595,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1619,8 +1647,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1669,8 +1698,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1734,8 +1764,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1785,8 +1816,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1836,8 +1868,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1882,8 +1915,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1928,8 +1962,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1974,8 +2009,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2018,8 +2054,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2062,8 +2099,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2106,8 +2144,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2150,8 +2189,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2194,8 +2234,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2238,8 +2279,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2288,8 +2330,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2336,8 +2379,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2382,8 +2426,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2426,8 +2471,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2472,8 +2518,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2522,8 +2569,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2568,8 +2616,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2618,8 +2667,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2664,8 +2714,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2712,8 +2763,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2760,8 +2812,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2808,8 +2861,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2859,8 +2913,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2903,8 +2958,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2947,8 +3003,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2993,8 +3050,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3045,8 +3103,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3093,8 +3152,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3141,8 +3201,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3185,8 +3246,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3231,8 +3293,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3280,8 +3343,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3326,8 +3390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3368,8 +3433,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3421,8 +3487,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index b8c24f28ca..ee521b2113 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-tabletshell.md b/windows/client-management/mdm/policy-csp-admx-tabletshell.md index 89216a67b0..d4d449e3cb 100644 --- a/windows/client-management/mdm/policy-csp-admx-tabletshell.md +++ b/windows/client-management/mdm/policy-csp-admx-tabletshell.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md index 515570e609..5e6e510daf 100644 --- a/windows/client-management/mdm/policy-csp-admx-taskbar.md +++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md @@ -106,8 +106,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -155,8 +156,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -204,8 +206,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,8 +252,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -294,8 +298,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -339,8 +344,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -384,8 +390,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -429,8 +436,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -474,8 +482,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -519,8 +528,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -565,8 +575,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -617,8 +628,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -663,8 +675,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -712,8 +725,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -759,8 +773,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -805,8 +820,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -850,8 +866,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -897,8 +914,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -942,8 +960,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -988,8 +1007,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1035,8 +1055,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1081,8 +1102,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index 6a9bd7666d..f94465f1a3 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -79,8 +79,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -124,8 +125,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -169,8 +171,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -220,8 +223,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -271,8 +275,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -316,8 +321,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -361,8 +367,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -412,8 +419,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -457,8 +465,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -504,8 +513,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -552,8 +562,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -597,8 +608,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -650,8 +662,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 9dedd54d73..448f4d16bd 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -309,8 +309,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -356,8 +357,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -403,8 +405,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -455,8 +458,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -480,8 +484,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -531,8 +536,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -583,8 +589,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -630,8 +637,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -677,8 +685,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -728,8 +737,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -777,8 +787,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -828,8 +839,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -879,8 +891,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -930,8 +943,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -981,8 +995,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1028,8 +1043,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1075,8 +1091,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1122,8 +1139,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1172,8 +1190,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1221,8 +1240,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1275,8 +1295,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1329,8 +1350,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1376,8 +1398,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1431,8 +1454,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1483,8 +1507,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1531,8 +1556,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1581,8 +1607,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1631,8 +1658,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1681,8 +1709,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1732,8 +1761,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1787,8 +1817,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1836,8 +1867,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1888,8 +1920,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1937,8 +1970,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1991,8 +2025,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2044,8 +2079,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2093,8 +2129,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2145,8 +2182,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2196,8 +2234,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2245,8 +2284,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2297,8 +2337,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2351,8 +2392,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2398,8 +2440,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2445,8 +2488,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2497,8 +2541,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2544,8 +2589,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2597,8 +2643,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2649,8 +2696,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2699,8 +2747,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2747,8 +2796,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2793,8 +2843,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2839,8 +2890,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2889,8 +2941,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2941,8 +2994,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2991,8 +3045,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3045,8 +3100,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3097,8 +3153,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3149,8 +3206,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3198,8 +3256,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3246,8 +3305,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3299,8 +3359,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3346,8 +3407,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3391,8 +3453,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3444,8 +3507,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3496,8 +3560,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3544,8 +3609,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3592,8 +3658,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3639,8 +3706,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3686,8 +3754,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3739,8 +3808,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3792,8 +3862,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3843,8 +3914,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3894,8 +3966,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3946,8 +4019,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3998,8 +4072,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4051,8 +4126,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4104,8 +4180,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4152,8 +4229,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4202,8 +4280,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4252,8 +4331,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4302,8 +4382,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4352,8 +4433,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4401,8 +4483,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4451,8 +4534,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4501,8 +4585,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4551,8 +4636,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4600,8 +4686,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4645,8 +4732,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4694,8 +4782,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4745,8 +4834,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4795,8 +4885,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index cad32638c6..c420b7243d 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -95,8 +96,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -142,8 +144,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 4f7283a5a7..4876258cb8 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -52,8 +52,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -143,8 +145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -190,8 +193,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index cc8d6387aa..bee67da425 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -69,8 +69,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -114,8 +115,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -155,8 +157,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -202,8 +205,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,8 +253,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -303,8 +308,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -344,8 +350,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -401,8 +408,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -460,8 +468,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -519,8 +528,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index 25e8620306..05651ad55f 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -417,8 +417,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -467,8 +468,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -522,8 +524,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -573,8 +576,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -620,8 +624,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -666,8 +671,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -719,8 +725,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -767,8 +774,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -810,8 +818,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -858,8 +867,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -905,8 +915,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -953,8 +964,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1003,8 +1015,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1052,8 +1065,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1100,8 +1114,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1148,8 +1163,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1196,8 +1212,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1244,8 +1261,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1290,8 +1308,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1338,8 +1357,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1386,8 +1406,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1434,8 +1455,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1483,8 +1505,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1531,8 +1554,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1578,8 +1602,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1626,8 +1651,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1675,8 +1701,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1723,8 +1750,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1772,8 +1800,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1820,8 +1849,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1869,8 +1899,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1917,8 +1948,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1965,8 +1997,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2012,8 +2045,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2060,8 +2094,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2108,8 +2143,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2157,8 +2193,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2206,8 +2243,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2254,8 +2292,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2302,8 +2341,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2351,8 +2391,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2399,8 +2440,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2448,8 +2490,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2497,8 +2540,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2546,8 +2590,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2595,8 +2640,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2643,8 +2689,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2692,8 +2739,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2741,8 +2789,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2790,8 +2839,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2838,8 +2888,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2886,8 +2937,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2935,8 +2987,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2984,8 +3037,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3033,8 +3087,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3082,8 +3137,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3130,8 +3186,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3179,8 +3236,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3228,8 +3286,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3276,8 +3335,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3324,8 +3384,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3372,8 +3433,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3421,8 +3483,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3470,8 +3533,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3520,8 +3584,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3569,8 +3634,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3618,8 +3684,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3667,8 +3734,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3716,8 +3784,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3765,8 +3834,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3813,8 +3883,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3862,8 +3933,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3910,8 +3982,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3959,8 +4032,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4007,8 +4081,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4055,8 +4130,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4105,8 +4181,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4153,8 +4230,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4202,8 +4280,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4251,8 +4330,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4300,8 +4380,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4348,8 +4429,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4397,8 +4479,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4445,8 +4528,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4494,8 +4578,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4543,8 +4628,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4592,8 +4678,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4641,8 +4728,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4690,8 +4778,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4739,8 +4828,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4788,8 +4878,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4836,8 +4927,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4885,8 +4977,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4934,8 +5027,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4983,8 +5077,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5032,8 +5127,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5081,8 +5177,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5130,8 +5227,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5179,8 +5277,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5228,8 +5327,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5277,8 +5377,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5326,8 +5427,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5375,8 +5477,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5423,8 +5526,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5472,8 +5576,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5520,8 +5625,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5569,8 +5675,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5618,8 +5725,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5667,8 +5775,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5715,8 +5824,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5764,8 +5874,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5813,8 +5924,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5863,8 +5975,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5910,8 +6023,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5957,8 +6071,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6010,8 +6125,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6059,8 +6175,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6102,8 +6219,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6151,8 +6269,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6200,8 +6319,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6249,8 +6369,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6297,8 +6418,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6346,8 +6468,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6391,8 +6514,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6440,8 +6564,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6489,8 +6614,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 01ff1725af..61082a5684 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -63,8 +63,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -111,8 +112,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -159,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,8 +212,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -260,8 +264,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -309,8 +314,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -358,8 +364,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -412,8 +419,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index 880375abd7..fd75025cff 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -51,8 +51,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -173,8 +174,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -240,8 +242,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -288,8 +291,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wcm.md b/windows/client-management/mdm/policy-csp-admx-wcm.md index 7af1124e31..56d18c37ee 100644 --- a/windows/client-management/mdm/policy-csp-admx-wcm.md +++ b/windows/client-management/mdm/policy-csp-admx-wcm.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -147,8 +149,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wdi.md b/windows/client-management/mdm/policy-csp-admx-wdi.md index a4a59c9cbd..6e8175c253 100644 --- a/windows/client-management/mdm/policy-csp-admx-wdi.md +++ b/windows/client-management/mdm/policy-csp-admx-wdi.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index 25ce545184..eeee17dfa6 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -45,8 +45,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,8 +95,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md index 807a4c84ff..08e1bacf93 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md +++ b/windows/client-management/mdm/policy-csp-admx-windowscolorsystem.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -91,8 +92,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 1922a73f28..02d063368a 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -48,8 +48,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,8 +94,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -139,8 +141,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 8f4e9a4209..410c6bf3a4 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -254,8 +254,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -304,8 +305,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -353,8 +355,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -399,8 +402,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -446,8 +450,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -493,8 +498,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -550,8 +556,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -599,8 +606,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -649,8 +657,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -699,8 +708,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -754,8 +764,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -802,8 +813,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -849,8 +861,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -895,8 +908,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -946,8 +960,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -997,8 +1012,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1048,8 +1064,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1099,8 +1116,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1150,8 +1168,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1201,8 +1220,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1252,8 +1272,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1303,8 +1324,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1354,8 +1376,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1405,8 +1428,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1454,8 +1478,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1503,8 +1528,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1552,8 +1578,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1601,8 +1628,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1650,8 +1678,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1699,8 +1728,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1749,8 +1779,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1799,8 +1830,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1848,8 +1880,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1897,8 +1930,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1945,8 +1979,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1991,8 +2026,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2037,8 +2073,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2086,8 +2123,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2135,8 +2173,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2183,8 +2222,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2227,8 +2267,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2273,8 +2314,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2324,8 +2366,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2375,8 +2418,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2425,8 +2469,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2469,8 +2514,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2517,8 +2563,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2559,8 +2606,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2608,8 +2656,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2654,8 +2703,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2705,8 +2755,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2749,8 +2800,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2793,8 +2845,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2839,8 +2892,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2889,8 +2943,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2935,8 +2990,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2981,8 +3037,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3027,8 +3084,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3074,8 +3132,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3118,8 +3177,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3169,8 +3229,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3217,8 +3278,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3267,8 +3329,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3324,8 +3387,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3377,8 +3441,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3426,8 +3491,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3474,8 +3540,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3522,8 +3589,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3570,8 +3638,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3618,8 +3687,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3668,8 +3738,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index 477a03bb2f..d8b921b3e5 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -42,8 +42,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index c4325fa43a..84b826b53e 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -102,8 +102,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -160,8 +161,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -217,8 +219,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -272,8 +275,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -320,8 +324,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -366,8 +371,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -414,8 +420,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -462,8 +469,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -512,8 +520,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -560,8 +569,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -608,8 +618,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -654,8 +665,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -705,8 +717,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -753,8 +766,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -799,8 +813,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -845,8 +860,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -891,8 +907,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -937,8 +954,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -982,8 +1000,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1028,8 +1047,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1078,8 +1098,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md index 1d922a36c6..bd307b779e 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsremotemanagement.md @@ -46,8 +46,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,8 +93,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-windowsstore.md b/windows/client-management/mdm/policy-csp-admx-windowsstore.md index c1c177297f..72fffb643f 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsstore.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsstore.md @@ -57,8 +57,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -105,8 +106,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -154,8 +156,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -203,8 +206,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -252,8 +256,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index 452cf045a2..421da6c478 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -49,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,8 +97,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -143,8 +145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-winlogon.md b/windows/client-management/mdm/policy-csp-admx-winlogon.md index f21fb8b148..366c193e05 100644 --- a/windows/client-management/mdm/policy-csp-admx-winlogon.md +++ b/windows/client-management/mdm/policy-csp-admx-winlogon.md @@ -58,8 +58,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -108,8 +109,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -158,8 +160,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -208,8 +211,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -260,8 +264,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -308,8 +313,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-winsrv.md b/windows/client-management/mdm/policy-csp-admx-winsrv.md index 1b02e8ef54..9b5ea557d1 100644 --- a/windows/client-management/mdm/policy-csp-admx-winsrv.md +++ b/windows/client-management/mdm/policy-csp-admx-winsrv.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wlansvc.md b/windows/client-management/mdm/policy-csp-admx-wlansvc.md index 588277efab..aeda8eb64c 100644 --- a/windows/client-management/mdm/policy-csp-admx-wlansvc.md +++ b/windows/client-management/mdm/policy-csp-admx-wlansvc.md @@ -49,8 +49,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -97,8 +98,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -143,8 +145,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wordwheel.md b/windows/client-management/mdm/policy-csp-admx-wordwheel.md index 45948daa4a..57124ac9b3 100644 --- a/windows/client-management/mdm/policy-csp-admx-wordwheel.md +++ b/windows/client-management/mdm/policy-csp-admx-wordwheel.md @@ -43,8 +43,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md index 2b291fdd5f..ba75fb37db 100644 --- a/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md +++ b/windows/client-management/mdm/policy-csp-admx-workfoldersclient.md @@ -50,8 +50,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -98,8 +99,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -155,8 +157,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-admx-wpn.md b/windows/client-management/mdm/policy-csp-admx-wpn.md index 3cfe80c0cc..857a782385 100644 --- a/windows/client-management/mdm/policy-csp-admx-wpn.md +++ b/windows/client-management/mdm/policy-csp-admx-wpn.md @@ -58,8 +58,9 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -107,8 +108,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,8 +158,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -205,8 +208,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -258,8 +262,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -307,8 +312,9 @@ ADMX Info: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No| -|Business|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 5cebcba3b5..08788dc5cf 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -42,6 +42,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -140,6 +141,7 @@ Here's the SyncMl example: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1bddb1ae40..fcce9195c4 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -79,6 +79,7 @@ manager: dansimp |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -135,6 +136,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -186,6 +188,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -237,6 +240,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -288,6 +292,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -341,6 +346,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -391,6 +397,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -449,6 +456,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -497,6 +505,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -550,6 +559,7 @@ For this policy to work, the Windows apps need to declare in their manifest that |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -603,6 +613,7 @@ This setting supports a range of values between 0 and 1. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -659,6 +670,7 @@ This setting supports a range of values between 0 and 1. |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -711,6 +723,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -761,6 +774,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -811,6 +825,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index c8db68a7e0..a73acd40df 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -45,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index 24c9070487..fe783f49f7 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -126,6 +126,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -170,6 +171,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -213,6 +215,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -256,6 +259,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -299,6 +303,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -342,6 +347,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -395,6 +401,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -438,6 +445,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -481,6 +489,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -524,6 +533,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -567,6 +577,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -610,6 +621,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -653,6 +665,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -714,6 +727,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -775,6 +789,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -836,6 +851,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -897,6 +913,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -958,6 +975,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1001,6 +1019,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1044,6 +1063,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1087,6 +1107,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1130,6 +1151,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1173,6 +1195,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1216,6 +1239,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1259,6 +1283,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1302,6 +1327,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1345,6 +1371,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1388,6 +1415,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index b182ba287e..ef2aae173e 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -52,6 +52,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -102,6 +103,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -152,6 +154,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 1ac68b444f..02ffc74825 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -209,6 +209,7 @@ ms.date: 09/27/2019 |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -269,6 +270,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -326,6 +328,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -385,6 +388,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -443,6 +447,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -500,6 +505,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -558,6 +564,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -619,6 +626,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -676,6 +684,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -739,6 +748,7 @@ The following values are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -796,6 +806,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -855,6 +866,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -912,6 +924,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -970,6 +983,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1028,6 +1042,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1084,6 +1099,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1144,6 +1160,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1202,6 +1219,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1266,6 +1284,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1329,6 +1348,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1390,6 +1410,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1455,6 +1476,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1511,6 +1533,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1570,6 +1593,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1635,6 +1659,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1696,6 +1721,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1753,6 +1779,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1810,6 +1837,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1867,6 +1895,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1924,6 +1953,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1981,6 +2011,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2036,6 +2067,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2095,6 +2127,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2157,6 +2190,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2229,6 +2263,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2288,6 +2323,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2347,6 +2383,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2407,6 +2444,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2475,6 +2513,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2530,6 +2569,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2590,6 +2630,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2648,6 +2689,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2713,6 +2755,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2773,6 +2816,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2830,6 +2874,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2897,6 +2942,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2969,6 +3015,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3032,6 +3079,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3094,6 +3142,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3159,6 +3208,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3220,6 +3270,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3286,6 +3337,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3374,6 +3426,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3427,6 +3480,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3499,6 +3553,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3563,6 +3618,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3621,6 +3677,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3679,6 +3736,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3739,6 +3797,7 @@ The following are the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index f1263416b4..e14b58d4da 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -65,6 +65,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,6 +107,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -147,6 +149,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -190,6 +193,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -235,6 +239,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -288,6 +293,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -333,6 +339,7 @@ Specifies the list of domains that are allowed to be navigated to in AAD PIN res |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -382,6 +389,7 @@ Web Sign-in is only supported on Azure AD Joined PCs. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -437,6 +445,7 @@ Value type is integer. Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -492,6 +501,7 @@ Value type is integer. Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index 365d7cf732..fdad7a559c 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -51,6 +51,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,6 +101,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -158,6 +160,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index add5331983..1b8b70190b 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -42,6 +42,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index 7b7b384396..fdf4c21d9e 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -60,6 +60,7 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -127,6 +128,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -193,6 +195,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -259,6 +262,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -319,6 +323,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -379,6 +384,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index a27b8b0f61..47218ce2fb 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -55,6 +55,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,6 +101,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -145,6 +147,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -186,6 +189,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,6 +231,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -265,6 +270,7 @@ If this policy isn't set or is deleted, the default local radio name is used. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -301,6 +307,7 @@ The default value is an empty string. For more information, see [ServicesAllowed |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 5deb121be6..2c340877a4 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -205,6 +205,7 @@ ms.localizationpriority: medium |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -259,6 +260,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -321,6 +323,7 @@ To verify AllowAutofill is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -373,6 +376,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -435,6 +439,7 @@ To verify AllowCookies is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -487,6 +492,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -548,6 +554,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -600,6 +607,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -652,6 +660,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -707,6 +716,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -767,6 +777,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -819,6 +830,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -875,6 +887,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -936,6 +949,7 @@ To verify AllowPasswordManager is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -997,6 +1011,7 @@ To verify AllowPopups is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1058,6 +1073,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1118,6 +1134,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1178,6 +1195,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1236,6 +1254,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1289,6 +1308,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1349,6 +1369,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1409,6 +1430,7 @@ To verify AllowSmartScreen is set to 0 (not allowed): |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1468,6 +1490,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1527,6 +1550,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1582,6 +1606,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1645,6 +1670,7 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1703,6 +1729,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1763,6 +1790,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1827,6 +1855,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1894,6 +1923,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1956,6 +1986,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2028,6 +2059,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2089,6 +2121,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2148,6 +2181,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2200,6 +2234,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2253,6 +2288,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2289,6 +2325,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2354,6 +2391,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2408,6 +2446,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2460,6 +2499,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2518,6 +2558,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2571,6 +2612,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2624,6 +2666,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2675,6 +2718,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2727,6 +2771,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2785,6 +2830,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2837,6 +2883,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2898,6 +2945,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2951,6 +2999,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3012,6 +3061,7 @@ Most restricted value: 1 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3070,6 +3120,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3127,6 +3178,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3179,6 +3231,7 @@ Most restricted value: 0 |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3227,6 +3280,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3290,6 +3344,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -3348,6 +3403,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index 1a06b54ae0..9b21b27a52 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -39,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 48876d706e..62837b80db 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -57,6 +57,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,6 +122,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -164,6 +166,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -207,6 +210,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -250,6 +254,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index c556897ebb..3c1c5c810b 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -84,6 +84,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -133,6 +134,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -175,6 +177,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -237,6 +240,7 @@ To validate on devices, perform the following steps: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -281,6 +285,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -339,6 +344,7 @@ Device that has previously opt-in to MMX will also stop showing on the device li |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -387,6 +393,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -430,6 +437,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -473,6 +481,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -527,6 +536,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -579,6 +589,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -631,6 +642,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -675,6 +687,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -721,6 +734,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index e66ffbee8b..ef9f5a08e4 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -32,12 +32,21 @@ manager: dansimp **ControlPolicyConflict/MDMWinsOverGP** +> [!NOTE] +> This setting doesn't apply to the following types of group policies: +> +> - If they don't map to an MDM policy. For example, firewall policies and account lockout policies. +> - If they aren't defined by an ADMX. For example, Password policy - minimum password age. +> - If they're in the Windows Update category. +> - If they have list entries. For example, the Microsoft Edge CookiesAllowedForUrls policy. + |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -58,9 +67,6 @@ manager: dansimp This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. -> [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. - This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. > [!NOTE] diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index 21357c48c3..38912ec7cb 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -51,6 +51,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -104,6 +105,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -154,6 +156,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-credentialsdelegation.md b/windows/client-management/mdm/policy-csp-credentialsdelegation.md index da8c5cd222..b5f3ef4c00 100644 --- a/windows/client-management/mdm/policy-csp-credentialsdelegation.md +++ b/windows/client-management/mdm/policy-csp-credentialsdelegation.md @@ -45,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index f242322253..41635f9f61 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -47,6 +47,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -100,6 +101,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index 0e746278c6..4834a084b7 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -42,6 +42,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,6 +95,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index 6b464729c7..205711af03 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -42,6 +42,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -85,6 +86,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index 73b7408f51..530bed96c5 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -60,6 +60,7 @@ This policy is deprecated in Windows 10, version 1809. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 3cd97e7de1..cab1c1ee93 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -160,6 +160,7 @@ ms.collection: highpri |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -213,6 +214,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -266,6 +268,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -320,6 +323,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -373,6 +377,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -426,6 +431,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -479,6 +485,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -532,6 +539,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -588,6 +596,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -641,6 +650,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -694,6 +704,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -739,6 +750,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -792,6 +804,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -841,6 +854,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -892,6 +906,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -946,6 +961,7 @@ Valid values: 0–100 |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1011,6 +1027,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1074,6 +1091,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1127,6 +1145,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1173,6 +1192,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1219,6 +1239,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1273,6 +1294,7 @@ Valid values: 0–90 |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1336,6 +1358,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1399,6 +1422,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1453,6 +1477,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1514,6 +1539,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1574,6 +1600,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1621,6 +1648,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1668,6 +1696,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1721,6 +1750,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1779,6 +1809,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1837,6 +1868,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1891,6 +1923,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1951,6 +1984,7 @@ Valid values: 0–1380 |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2015,6 +2049,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2075,6 +2110,7 @@ Valid values: 0–1380. |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2126,6 +2162,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2193,6 +2230,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2255,6 +2293,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2313,6 +2352,7 @@ Valid values: 0–24. |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2369,6 +2409,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index ba4c441b84..56963703d1 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -133,6 +133,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -182,6 +183,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -236,6 +238,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -291,6 +294,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -354,6 +358,7 @@ When DHCP Option ID Force (2) is set, the client will query DHCP Option ID 235 a |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -399,6 +404,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -455,6 +461,7 @@ Supported values: 0 - one month (in seconds) |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -509,6 +516,7 @@ Supported values: 0 - one month (in seconds) |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -566,6 +574,7 @@ The following list shows the supported values as number of seconds: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -623,6 +632,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -673,6 +683,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -736,6 +747,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -781,6 +793,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -829,6 +842,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -901,6 +915,7 @@ This policy is deprecated. Use [DOMaxForegroundDownloadBandwidth](#deliveryoptim |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -965,6 +980,7 @@ This policy is deprecated because it only applies to uploads to Internet peers ( |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1014,6 +1030,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1062,6 +1079,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1114,6 +1132,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1163,6 +1182,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1212,6 +1232,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1261,6 +1282,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1312,6 +1334,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1370,6 +1393,7 @@ This policy is deprecated. Use [DOPercentageMaxForegroundBandwidth](#deliveryopt |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1415,6 +1439,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1467,6 +1492,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1519,6 +1545,7 @@ This policy allows an IT Admin to define the following details: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index aa850f28a4..947f9373f2 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -44,6 +44,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 9a718888b1..0629edd5f5 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -47,6 +47,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -107,6 +108,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,6 +158,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -207,6 +210,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md index 7a2f5f914a..31ab6fa6d5 100644 --- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md +++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md @@ -45,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,6 +93,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -138,6 +140,7 @@ IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 0cc81579bc..42835ecf22 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -69,6 +69,7 @@ ms.localizationpriority: medium |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -171,6 +172,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -270,6 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -381,6 +384,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -486,6 +490,7 @@ You can also change the evaluation order of device installation policy settings |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -543,6 +548,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -636,6 +642,7 @@ You can also block installation by using a custom profile in Intune. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -734,6 +741,7 @@ For example, this custom profile blocks installation and usage of USB devices wi |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -839,6 +847,7 @@ with |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 398e28de31..9a2ac9d034 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -84,6 +84,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -131,6 +132,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -178,6 +180,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -219,6 +222,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -273,6 +277,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -355,6 +360,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -405,6 +411,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -455,6 +462,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -495,6 +503,7 @@ Value type is a string, which is the full image filepath and filename. |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -549,6 +558,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -599,6 +609,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -672,6 +683,7 @@ For more information about this policy, see [Exchange ActiveSync Policy Engine O |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -748,6 +760,7 @@ The following example shows how to set the minimum password length to 4 characte |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -792,6 +805,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -845,6 +859,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md index f3f60dd44f..918e69d004 100644 --- a/windows/client-management/mdm/policy-csp-display.md +++ b/windows/client-management/mdm/policy-csp-display.md @@ -51,6 +51,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -94,6 +95,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -157,6 +159,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -200,6 +203,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -258,6 +262,7 @@ To validate on Desktop, do the following tasks: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 1258127e5e..a92e445ad0 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -38,6 +38,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md index 4a50535a07..445cc1cca1 100644 --- a/windows/client-management/mdm/policy-csp-eap.md +++ b/windows/client-management/mdm/policy-csp-eap.md @@ -38,6 +38,7 @@ manager: dansimp |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md index f846573eda..edab7bcabf 100644 --- a/windows/client-management/mdm/policy-csp-education.md +++ b/windows/client-management/mdm/policy-csp-education.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Education -
    @@ -35,7 +34,6 @@ manager: dansimp
    -
    @@ -47,11 +45,11 @@ manager: dansimp |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -
    @@ -65,7 +63,7 @@ manager: dansimp -This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality. +This policy setting allows you to control, whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality. ADMX Info: @@ -93,11 +91,11 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -
    @@ -129,6 +127,7 @@ The policy value is expected to be the name (network host name) of an installed |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -178,11 +177,11 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -
    @@ -205,6 +204,8 @@ The policy value is expected to be a `````` separated list of printer na
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md index fb0a5f37eb..df2804c31e 100644 --- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md +++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - EnterpriseCloudPrint - -
    @@ -42,7 +40,6 @@ manager: dansimp -
    @@ -54,6 +51,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,11 +69,11 @@ manager: dansimp -Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. +Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. -The datatype is a string. +Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://azuretenant.contoso.com/adfs```. @@ -91,6 +89,7 @@ The default value is an empty string. Otherwise, the value should contain the UR |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -110,7 +109,7 @@ The default value is an empty string. Otherwise, the value should contain the UR Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. -The datatype is a string. +Supported datatype is string. The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". @@ -128,6 +127,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -147,7 +147,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. -The datatype is a string. +Supported datatype is string. The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". @@ -165,6 +165,7 @@ The default value is an empty string. Otherwise, the value should contain a URL. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -184,9 +185,9 @@ The default value is an empty string. Otherwise, the value should contain a URL. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. -The datatype is a string. +Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". +The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, ```https://cloudprinterdiscovery.contoso.com```. @@ -202,6 +203,7 @@ The default value is an empty string. Otherwise, the value should contain the UR |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -221,7 +223,7 @@ The default value is an empty string. Otherwise, the value should contain the UR Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. -The datatype is an integer. +Supported datatype is integer. @@ -237,6 +239,7 @@ The datatype is an integer. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -256,9 +259,9 @@ The datatype is an integer. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. -The datatype is a string. +Supported datatype is string. -The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". +The default value is an empty string. Otherwise, the value should contain a URL. For example, ```http://MopriaDiscoveryService/CloudPrint```. @@ -267,3 +270,6 @@ The default value is an empty string. Otherwise, the value should contain a URL. +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-errorreporting.md b/windows/client-management/mdm/policy-csp-errorreporting.md index 37d4c94e64..720f5cae3c 100644 --- a/windows/client-management/mdm/policy-csp-errorreporting.md +++ b/windows/client-management/mdm/policy-csp-errorreporting.md @@ -15,11 +15,11 @@ manager: dansimp # Policy CSP - ErrorReporting > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -44,7 +44,6 @@ manager: dansimp -
    @@ -56,6 +55,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -83,7 +83,7 @@ If you enable this policy setting, you can add specific event types to a list by - 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any extra data requested by Microsoft. -- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent to send any extra data requested by Microsoft. +- 3 (Send parameters and safe extra data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and data which Windows has determined (within a high probability) doesn't contain personally identifiable data, and prompts the user for consent, to send any extra data requested by Microsoft. - 4 (Send all data): Any data requested by Microsoft is sent automatically. @@ -112,6 +112,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -129,7 +130,7 @@ ADMX Info: -This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. +This policy setting turns off Windows Error Reporting, so that reports aren't collected or sent to either Microsoft or internal servers within your organization, when software unexpectedly stops working or fails. If you enable this policy setting, Windows Error Reporting doesn't send any problem information to Microsoft. Additionally, solution information isn't available in Security and Maintenance in Control Panel. @@ -158,6 +159,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -175,7 +177,7 @@ ADMX Info: -This policy setting controls whether users are shown an error dialog box that lets them report an error. +This policy setting controls, whether users are shown an error dialog box that lets them report an error. If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. @@ -208,6 +210,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,7 +228,7 @@ ADMX Info: -This policy setting controls whether extra data in support of error reports can be sent to Microsoft automatically. +This policy setting controls, whether extra data in support of error reports can be sent to Microsoft automatically. If you enable this policy setting, any extra data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. @@ -254,6 +257,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -293,3 +297,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md index ced6ab68a9..1616de5ece 100644 --- a/windows/client-management/mdm/policy-csp-eventlogservice.md +++ b/windows/client-management/mdm/policy-csp-eventlogservice.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - EventLogService - -
    @@ -36,7 +34,6 @@ manager: dansimp -
    @@ -48,6 +45,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -65,13 +63,14 @@ manager: dansimp -This policy setting controls Event Log behavior when the log file reaches its maximum size. +This policy setting controls Event Log behavior, when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events aren't written to the log and are lost. If you disable or don't configure this policy setting and a log file reaches its maximum size, new events overwrite old events. -Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. +> [!NOTE] +> Old events may or may not be retained according to the "Backup log automatically when full" policy setting. @@ -96,6 +95,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -117,7 +117,7 @@ This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. @@ -142,6 +142,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,7 +164,7 @@ This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. @@ -188,6 +189,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -209,7 +211,7 @@ This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. -If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. +If you disable or don't configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog, and it defaults to 20 megabytes. @@ -227,3 +229,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index b115b5df8c..b25dbf8552 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Experience - -
    @@ -99,7 +97,6 @@ manager: dansimp -
    @@ -111,6 +108,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -130,7 +128,7 @@ manager: dansimp Allows history of clipboard items to be stored in memory. -Value type is integer. Supported values: +Supported value type is integer. Supported values are: - 0 - Not allowed - 1 - Allowed (default) @@ -172,6 +170,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -205,8 +204,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -222,6 +221,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,8 +249,8 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -266,6 +266,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -287,7 +288,7 @@ This policy turns on Find My Device. When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. In Windows 10, version 1709 devices that are compatible with active digitizers, enabling Find My Device will also allow the user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of their active digitizer. -When Find My Device is off, the device and its location aren't registered and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device. +When Find My Device is off, the device and its location aren't registered, and the Find My Device feature won't work. In Windows 10, version 1709 the user won't be able to view the location of the last use of their active digitizer on their device. @@ -301,8 +302,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -318,6 +319,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -340,15 +342,14 @@ Specifies whether to allow the user to delete the workplace account using the wo > [!NOTE] > The MDM server can always remotely delete the account. - Most restricted value is 0. The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -377,6 +378,7 @@ This policy is deprecated. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -423,6 +425,7 @@ This policy is deprecated. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -459,6 +462,7 @@ Describes what values are supported in by this policy and meaning of each value |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -499,6 +503,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -522,7 +527,7 @@ This policy allows you to prevent Windows from using diagnostic data to provide Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. > [!NOTE] -> This setting doesn't control Cortana cutomized experiences because there are separate policies to configure it. +> This setting doesn't control Cortana customized experiences because there are separate policies to configure it. Most restricted value is 0. @@ -538,8 +543,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -555,6 +560,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -575,7 +581,6 @@ The following list shows the supported values: > [!NOTE] > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. @@ -607,6 +612,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -627,7 +633,6 @@ The following list shows the supported values: > [!NOTE] > Prior to Windows 10, version 1803, this policy had User scope. - This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. Most restricted value is 0. @@ -644,8 +649,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 – Allowed. +- 0 – Not allowed +- 1 – Allowed @@ -661,6 +666,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -681,8 +687,7 @@ The following list shows the supported values: > [!NOTE] > This policy is only available for Windows 10 Enterprise and Windows 10 Education. - -Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. +Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features, and other related features will be turned off. You should enable this policy setting, if your goal is to minimize network traffic from target devices. If you disable or don't configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Most restricted value is 0. @@ -698,8 +703,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -715,6 +720,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -749,8 +755,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -766,6 +772,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -801,8 +808,8 @@ ADMX Info: The following list shows the supported values: -- 0 - Not allowed. -- 1 - Allowed. +- 0 - Not allowed +- 1 - Allowed @@ -818,6 +825,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -836,7 +844,7 @@ The following list shows the supported values: -This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. +This policy setting lets you turn off the Windows spotlight, and Windows welcome experience feature. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or don't configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. Most restricted value is 0. @@ -853,8 +861,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed +- 1 (default) – Allowed @@ -870,6 +878,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -901,8 +910,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Disabled. -- 1 (default) – Enabled. +- 0 – Disabled +- 1 (default) – Enabled @@ -918,6 +927,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|Yes| |Pro|No|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|No|Yes| |Education|No|Yes| @@ -937,7 +947,7 @@ This policy setting allows you to configure the Chat icon on the taskbar. -The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not enabled. +The values for this policy are 0, 1, 2, and 3. This policy defaults to 0, if not enabled. - 0 - Not Configured: The Chat icon will be configured according to the defaults for your Windows edition. - 1 - Show: The Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings. @@ -961,6 +971,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -979,10 +990,9 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not > [!NOTE] -> This policy is only available for Windows 10 Enterprise and Windows 10 Education. +> This policy is only available for Windows 10 Enterprise, and Windows 10 Education. - -Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. +Allows IT admins to specify, whether spotlight should be used on the user's lock screen. If your organization doesn't have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. @@ -1012,6 +1022,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1047,8 +1058,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Disabled. -- 1 – Enabled. +- 0 (default) – Disabled +- 1 – Enabled @@ -1064,6 +1075,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1116,6 +1128,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1153,7 +1166,6 @@ Supported values: - 0 (default) - Allowed/turned on. The "browser" group synchronizes automatically between users' devices and lets users make changes. - 2 - Prevented/turned off. The "browser" group doesn't use the _Sync your Settings_ option. - _**Sync the browser settings automatically**_ Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on). @@ -1190,6 +1202,7 @@ _**Turn syncing off by default but don’t disable**_ |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1251,7 +1264,7 @@ _**Prevent syncing of browser settings and let users turn on syncing**_ Validation procedure: 1. Select **More > Settings**. -1. See if the setting is enabled or disabled based on your selection. +1. See, if the setting is enabled or disabled based on your selection. @@ -1267,6 +1280,7 @@ Validation procedure: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1291,7 +1305,7 @@ If you enable this policy setting, the lock option is shown in the User Tile men If you disable this policy setting, the lock option is never shown in the User Tile menu. -If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose if they want to show the lock in the user tile menu from the Power Options control panel. +If you don't configure this policy setting, the lock option is shown in the User Tile menu. Users can choose, if they want to show the lock in the user tile menu from the Power Options control panel. @@ -1317,5 +1331,8 @@ Supported values:
    - + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 549a130038..80582e1ec2 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - ExploitGuard - -
    @@ -27,7 +25,6 @@ manager: dansimp -
    @@ -39,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -101,4 +99,8 @@ Here is an example:
    - \ No newline at end of file + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index b6ae2e95c6..f8a8f5eea5 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Feeds -
    @@ -26,7 +25,6 @@ manager: dansimp -
    @@ -38,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -55,7 +54,7 @@ manager: dansimp -This policy setting specifies whether news and interests is allowed on the device. +This policy setting specifies, whether news and interests is allowed on the device. The values for this policy are 1 and 0. This policy defaults to 1. @@ -77,3 +76,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 3599a3ce1a..b46e93af9c 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -15,11 +15,11 @@ manager: dansimp # Policy CSP - FileExplorer > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -28,14 +28,129 @@ manager: dansimp ## FileExplorer policies
    +
    + FileExplorer/AllowOptionToShowNetwork +
    +
    + FileExplorer/AllowOptionToShowThisPC +
    FileExplorer/TurnOffDataExecutionPreventionForExplorer
    FileExplorer/TurnOffHeapTerminationOnCorruption
    +
    + FileExplorer/SetAllowedFolderLocations +
    +
    + FileExplorer/SetAllowedStorageLocations +
    +
    + + +**FileExplorer/AllowOptionToShowNetwork** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + + +This policy allows the user with an option to show the network folder when restricted. + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowNetwork* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
    + + +**FileExplorer/AllowOptionToShowThisPC** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + + +This policy allows the user with an option to show this PC location when restricted. + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowThisPC* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + +
    @@ -48,6 +163,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -90,6 +206,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -109,6 +226,8 @@ ADMX Info: Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + + ADMX Info: - GP Friendly name: *Turn off heap termination on corruption* @@ -120,5 +239,120 @@ ADMX Info:
    + +**FileExplorer/SetAllowedFolderLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + + + +This policy configures the folders that the user can enumerate and access in the File Explorer. + + + + +The following list shows the supported values: + +- 0: All folders +- 15:Desktop, Documents, Pictures, and Downloads +- 31:Desktop, Documents, Pictures, Downloads, and Network +- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads +- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedFolderLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
    + + +**FileExplorer/SetAllowedStorageLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
    + + + + + +This policy configures the folders that the user can enumerate and access in the File Explorer. + + + + +The following list shows the supported values: + +- 0: all storage locations +- 1: Removable Drives +- 2: Sync roots +- 3: Removable Drives, Sync roots, local drive + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedStorageLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
    + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md index 8f26e60ff4..e6fde52f63 100644 --- a/windows/client-management/mdm/policy-csp-games.md +++ b/windows/client-management/mdm/policy-csp-games.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Games - -
    @@ -27,7 +25,6 @@ manager: dansimp -
    @@ -39,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -56,7 +54,9 @@ manager: dansimp -Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer. +Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + +Supported value type is integer. @@ -72,3 +72,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md index c2b205ad92..8602af165b 100644 --- a/windows/client-management/mdm/policy-csp-handwriting.md +++ b/windows/client-management/mdm/policy-csp-handwriting.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Handwriting - -
    @@ -27,7 +25,6 @@ manager: dansimp -
    @@ -39,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -60,9 +58,9 @@ This policy allows an enterprise to configure the default mode for the handwriti The handwriting panel has two modes - floats near the text box, or docked to the bottom of the screen. The default configuration is the one floating near text box. If you want the panel to be fixed or docked, use this policy to fix it to the bottom of the screen. -In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. +In floating mode, the content is hidden behind a flying-in panel and results in end-user dissatisfaction. The end-user will need to drag the flying-in panel, to see the rest of the content. In the fixed mode, the flying-in panel is fixed to the bottom of the screen and doesn't require any user interaction. -The docked mode is especially useful in Kiosk mode where you don't expect the end-user to drag the flying-in panel out of the way. +The docked mode is especially useful in Kiosk mode, where you don't expect the end-user to drag the flying-in panel out of the way. @@ -85,3 +83,7 @@ The following list shows the supported values: + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index 9ce283864c..8b672ccbbf 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - HumanPresence - -
    @@ -33,7 +31,6 @@ manager: dansimp -
    @@ -45,6 +42,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|Yes| |Education|No|Yes| @@ -62,7 +60,7 @@ manager: dansimp -This policy specifies whether the device can lock when a human presence sensor detects a human. +This policy specifies, whether the device can lock when a human presence sensor detects a human. @@ -79,7 +77,7 @@ The following list shows the supported values: - 2 = ForcedOff - 1 = ForcedOn - 0 = DefaultToUserChoice -- Defaults to 0. +- Defaults to 0 @@ -94,6 +92,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|Yes| |Education|No|Yes| @@ -111,7 +110,7 @@ The following list shows the supported values: -This policy specifies whether the device can lock when a human presence sensor detects a human. +This policy specifies, whether the device can lock when a human presence sensor detects a human. @@ -128,7 +127,7 @@ The following list shows the supported values: - 2 = ForcedOff - 1 = ForcedOn - 0 = DefaultToUserChoice -- Defaults to 0. +- Defaults to 0 @@ -143,6 +142,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|Yes| |Education|No|Yes| @@ -160,7 +160,7 @@ The following list shows the supported values: -This policy specifies at what distance the sensor wakes up when it sees a human in seconds. +This policy specifies, at what distance the sensor wakes up when it sees a human in seconds. @@ -172,7 +172,7 @@ ADMX Info: -Integer value that specifies whether the device can lock when a human presence sensor detects a human. +Integer value that specifies, whether the device can lock when a human presence sensor detects a human. The following list shows the supported values: @@ -188,3 +188,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index a4b2b54bee..1f621319a6 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -13,8 +13,6 @@ manager: dansimp # Policy CSP - InternetExplorer - -
    @@ -803,11 +801,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -820,6 +818,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -840,9 +839,12 @@ manager: dansimp This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. -If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). -If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. +> [!NOTE] +> This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. + +If you disable or do not configure this policy setting, the user can configure their list of search providers, unless another policy setting restricts such configuration. @@ -867,6 +869,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -885,7 +888,7 @@ ADMX Info: -This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. +This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites, so that ActiveX controls can run properly. If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. @@ -914,6 +917,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -938,11 +942,11 @@ This list can be used with the 'Deny all add-ons unless specifically allowed in If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: -Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. +- Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. -Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. +- Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied, enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. -If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. +If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will determine, whether add-ons not in this list are assumed to be denied. @@ -967,6 +971,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -988,7 +993,7 @@ This AutoComplete feature can remember and suggest User names and passwords on F If you enable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "prompt me to save passwords". -If you disable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. +If you disable this setting, the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords. If you do not configure this setting, the user has the freedom of turning on Auto complete for User name and passwords on forms and the option of prompting to save passwords. To display this option, the users open the Internet Options dialog box, click the Contents Tab and click the Settings button. @@ -1015,6 +1020,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1033,7 +1039,7 @@ ADMX Info: -This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. +This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned, when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks. If you enable this policy setting, the certificate address mismatch warning always appears. @@ -1062,6 +1068,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1113,6 +1120,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1162,6 +1170,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1180,7 +1189,7 @@ ADMX Info: -This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. +This policy setting allows Internet Explorer to provide enhanced suggestions, as the user types in the Address bar. To provide enhanced suggestions, the user's keystrokes are sent to Microsoft through Microsoft services. If you enable this policy setting, users receive enhanced suggestions while typing in the Address bar. In addition, users cannot change the Suggestions setting on the Settings charm. @@ -1222,6 +1231,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1240,7 +1250,7 @@ Supported values: -This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. +This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode, using the Tools menu. If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. @@ -1269,6 +1279,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1316,6 +1327,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1333,7 +1345,7 @@ ADMX Info: -This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails. +This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below, when TLS 1.0 or greater fails. We recommend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack. @@ -1364,6 +1376,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1411,6 +1424,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1429,7 +1443,7 @@ ADMX Info: -This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. +This policy setting controls, how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. @@ -1460,6 +1474,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1478,7 +1493,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1486,9 +1501,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1513,6 +1530,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1531,7 +1549,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone, consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1539,9 +1557,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1566,6 +1586,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1584,7 +1605,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1592,9 +1613,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1619,6 +1642,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1637,7 +1661,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1645,9 +1669,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1672,6 +1698,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1690,7 +1717,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1698,9 +1725,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1725,6 +1754,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1743,7 +1773,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1751,9 +1781,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1778,6 +1810,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1796,7 +1829,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -1804,9 +1837,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -1831,6 +1866,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1878,6 +1914,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1936,6 +1973,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1956,13 +1994,19 @@ ADMX Info: This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. -Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: +1. Intranet zone +1. Trusted Sites zone +1. Internet zone +1. Restricted Sites zone -If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site.  For each entry that you add to the list, enter the following information: +Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Medium template), Intranet zone (Medium-Low template), Internet zone (Medium-high template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) -Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. +If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: -Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. +- Valuename – A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also include a specific protocol. For example, if you enter `` as the valuename, other protocols are not affected. If you enter just `www.contoso.com,` then all protocols are affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for `www.contoso.com` and `www.contoso.com/mail` would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. + +- Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. If you disable or do not configure this policy, users may choose their own site-to-zone assignments. @@ -2019,6 +2063,7 @@ Value and index pairs in the SyncML example: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2068,6 +2113,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2086,7 +2132,7 @@ ADMX Info: -This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit. +This policy setting controls the Suggested Sites feature, which recommends websites based on the user’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft, to suggest sites that the user might want to visit. If you enable this policy setting, the user is not prompted to enable Suggested Sites. The user’s browsing history is sent to Microsoft to produce suggestions. @@ -2117,6 +2163,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2135,7 +2182,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -2143,9 +2190,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -2170,6 +2219,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2188,7 +2238,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -2196,9 +2246,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -2223,6 +2275,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2241,7 +2294,7 @@ ADMX Info: -This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level. For example, Low, Medium Low, Medium, or High. If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. @@ -2249,9 +2302,11 @@ If you disable this template policy setting, no security level is configured. If you do not configure this template policy setting, no security level is configured. -Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. +> [!NOTE] +> Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. -Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. +> [!NOTE] +> It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. @@ -2276,6 +2331,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2325,6 +2381,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2343,7 +2400,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. +This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software, and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs. If you enable this policy setting, Internet Explorer will check the digital signatures of executable programs and display their identities before downloading them to user computers. @@ -2373,6 +2430,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2396,21 +2454,21 @@ Enables you to configure up to three versions of Microsoft Edge to open a redire If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - 1 = Microsoft Edge Stable - 2 = Microsoft Edge Beta version 77 or later - 3 = Microsoft Edge Dev version 77 or later - 4 = Microsoft Edge Canary version 77 or later + - 1 = Microsoft Edge Stable + - 2 = Microsoft Edge Beta version 77 or later + - 3 = Microsoft Edge Dev version 77 or later + - 4 = Microsoft Edge Canary version 77 or later - If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: - If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: - 0 = Microsoft Edge version 45 or earlier - 1 = Microsoft Edge Stable - 2 = Microsoft Edge Beta version 77 or later - 3 = Microsoft Edge Dev version 77 or later - 4 = Microsoft Edge Canary version 77 or later + - 0 = Microsoft Edge version 45 or earlier + - 1 = Microsoft Edge Stable + - 2 = Microsoft Edge Beta version 77 or later + - 3 = Microsoft Edge Dev version 77 or later + - 4 = Microsoft Edge Canary version 77 or later - If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. @@ -2642,6 +2700,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2662,7 +2721,7 @@ ADMX Info: Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. -This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. +This policy setting determines, whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain, but the MIME sniff indicates that the file is really an executable file, then Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files. @@ -2693,6 +2752,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2713,7 +2773,7 @@ ADMX Info: This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading. > [!Caution] -> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. +> If you enable this setting, IE stops downloading updated versions of VersionList.XML. Turning off this automatic download, breaks the [out-of-date ActiveX control blocking feature](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. If you disable or do not configure this setting, IE continues to download updated versions of VersionList.XML. @@ -2751,6 +2811,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2800,6 +2861,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2847,6 +2909,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2894,6 +2957,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2952,6 +3016,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2970,7 +3035,10 @@ Supported values: -This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, from the Menu bar, on the Tools menu, click Internet Options, click the General tab, and then click Settings under Browsing history. +This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Internet Files and History Settings dialog box, do the following: + +1. From the Menu bar, on the Tools menu, click Internet Options. +1. Click the General tab, and then click Settings under Browsing history. If you enable this policy setting, a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsing history. @@ -2999,6 +3067,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3046,6 +3115,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3095,6 +3165,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3146,6 +3217,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3193,6 +3265,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3217,7 +3290,8 @@ If you enable this policy setting, the browser negotiates or does not negotiate If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. -Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. +> [!NOTE] +> SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. @@ -3242,6 +3316,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3300,6 +3375,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3318,7 +3394,7 @@ Supported values: -This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. +This policy setting prevents Internet Explorer from running the First Run wizard, the first time a user starts the browser after installing Internet Explorer or Windows. If you enable this policy setting, you must make one of the following choices: - Skip the First Run wizard, and go directly to the user's home page. @@ -3326,7 +3402,7 @@ If you enable this policy setting, you must make one of the following choices: Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. -If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. +If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard, the first time the browser is started after installation. @@ -3351,6 +3427,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3402,6 +3479,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3462,6 +3540,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3506,6 +3585,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3578,6 +3658,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3625,6 +3706,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3676,6 +3758,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3694,13 +3777,14 @@ ADMX Info: -This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows. +This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater compatibility), when running in Enhanced Protected Mode on 64-bit versions of Windows. -Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used. +> [!IMPORTANT] +> Some ActiveX controls and toolbars may not be available when 64-bit processes are used. -If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. +If you enable this policy setting, Internet Explorer 11 will use 64-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. -If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows. +If you disable this policy setting, Internet Explorer 11 will use 32-bit tab processes, when running in Enhanced Protected Mode on 64-bit versions of Windows. If you don't configure this policy setting, users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default. @@ -3727,6 +3811,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3774,6 +3859,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3821,6 +3907,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3845,7 +3932,8 @@ If you enable this policy setting, you can specify which default home pages shou If you disable or do not configure this policy setting, the user can add secondary home pages. -Note: If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. +> [!NOTE] +> If the “Disable Changing Home Page Settings” policy is enabled, the user cannot add secondary home pages. @@ -3870,6 +3958,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3917,6 +4006,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3936,7 +4026,7 @@ ADMX Info: Prevents Internet Explorer from checking whether a new version of the browser is available. -If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. +If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifies users if a new version is available. If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. @@ -3965,6 +4055,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4025,6 +4116,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4076,6 +4168,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4101,7 +4194,8 @@ If you disable this policy or do not configure it, users can add Web sites to or This policy prevents users from changing site management settings for security zones established by the administrator. -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. +> [!NOTE] +> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4128,6 +4222,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4153,7 +4248,8 @@ If you disable this policy or do not configure it, users can change the settings This policy prevents users from changing security zone settings established by the administrator. -Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. +> [!NOTE] +> The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. Also, see the "Security zones: Use only machine settings" policy. @@ -4180,6 +4276,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4229,6 +4326,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4251,9 +4349,9 @@ This policy setting allows you to manage a list of domains on which Internet Exp If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: -1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" -2. "hostname". For example, if you want to include http://example, use "example" -3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" +1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com". +2. "hostname". For example, if you want to include http://example, use "example". +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm". If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. @@ -4282,6 +4380,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4310,8 +4409,8 @@ This policy setting lets admins enable extended Microsoft Edge Internet Explorer The following list shows the supported values: -- 0 (default) - Disabled. -- 1 - Enabled. +- 0 (default) - Disabled +- 1 - Enabled @@ -4334,6 +4433,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4352,11 +4452,11 @@ ADMX Info: -This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. +This policy setting controls, whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. -If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). +If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered in the Intranet Zone (so would typically be in the Internet Zone). If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. @@ -4383,6 +4483,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4401,7 +4502,7 @@ ADMX Info: -This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. +This policy setting controls, whether URLs representing UNCs are mapped into the local Intranet security zone. If you enable this policy setting, all network paths are mapped into the Intranet Zone. @@ -4432,6 +4533,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4450,7 +4552,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -4481,6 +4583,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4499,7 +4602,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -4530,6 +4633,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4548,7 +4652,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -4577,6 +4681,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4595,11 +4700,11 @@ ADMX Info: -This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. +This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. -If you select Prompt in the drop-down box, users are queried as to whether to perform clipboard operations. +If you select Prompt in the drop-down box, users are queried, whether to perform clipboard operations. If you disable this policy setting, a script cannot perform a clipboard operation. @@ -4628,6 +4733,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4646,7 +4752,7 @@ ADMX Info: -This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. +This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. @@ -4677,6 +4783,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4695,7 +4802,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -4726,6 +4833,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4744,11 +4852,11 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. @@ -4775,6 +4883,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4824,6 +4933,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4842,9 +4952,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -4873,6 +4983,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4891,7 +5002,7 @@ ADMX Info: -This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. +This policy setting controls, whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. @@ -4920,6 +5031,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4938,7 +5050,7 @@ ADMX Info: -This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. +This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. @@ -4967,6 +5079,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5016,6 +5129,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5034,7 +5148,7 @@ ADMX Info: -This policy setting determines whether a page can control embedded WebBrowser controls via script. +This policy setting determines, whether a page can control embedded WebBrowser controls via script. If you enable this policy setting, script access to the WebBrowser control is allowed. @@ -5065,6 +5179,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5083,7 +5198,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -5114,6 +5229,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5132,7 +5248,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -5140,7 +5256,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -5165,6 +5282,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5183,7 +5301,7 @@ ADMX Info: -This policy setting allows you to manage whether script is allowed to update the status bar within the zone. +This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. @@ -5212,6 +5330,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5230,7 +5349,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -5261,6 +5380,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5279,7 +5399,7 @@ ADMX Info: -This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. +This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -5312,6 +5432,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5332,11 +5453,11 @@ ADMX Info: This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -5361,6 +5482,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5379,13 +5501,13 @@ ADMX Info: -This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. +This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. If you disable the policy setting, signed controls cannot be downloaded. -If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. +If you do not configure this policy setting, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. @@ -5410,6 +5532,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5428,7 +5551,7 @@ ADMX Info: -This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. +This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. @@ -5459,6 +5582,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5506,6 +5630,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5524,15 +5649,15 @@ ADMX Info: -This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. +This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. @@ -5557,6 +5682,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5575,15 +5701,15 @@ ADMX Info: -This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. +This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. @@ -5608,6 +5734,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5657,6 +5784,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5675,7 +5803,7 @@ ADMX Info: -This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system. +This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities, by reducing the locations that Internet Explorer can write to in the registry and the file system. If you enable this policy setting, Protected Mode is turned on. The user cannot turn off Protected Mode. @@ -5706,6 +5834,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5724,7 +5853,7 @@ ADMX Info: -This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. +This policy setting controls whether or not local path information is sent, when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. @@ -5755,6 +5884,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5805,7 +5935,8 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| -|Business||| +|Windows SE|No|Yes| +|Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5828,6 +5959,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5852,7 +5984,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -5883,6 +6015,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5901,9 +6034,9 @@ ADMX Info: -This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. -If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. +If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone, without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. If you disable this policy setting, users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone. @@ -5932,6 +6065,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -5954,11 +6088,11 @@ This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. -Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. +Automatic logon, only in Intranet zone to query users for user IDs and passwords in other zones. After a user is queried, these values can be used silently for the remainder of the session. Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server, the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server, the user is queried to provide the user name and password. @@ -5989,6 +6123,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6007,13 +6142,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -6038,6 +6173,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6056,9 +6192,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. +If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. @@ -6087,6 +6223,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6105,7 +6242,7 @@ ADMX Info: -This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). +This policy setting controls, whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. @@ -6136,6 +6273,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6154,7 +6292,7 @@ ADMX Info: -This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. +This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened, when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. @@ -6185,6 +6323,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6203,13 +6342,13 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -6234,6 +6373,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6252,7 +6392,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -6283,6 +6423,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6301,7 +6442,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -6330,6 +6471,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6348,7 +6490,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -6379,6 +6521,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6397,11 +6540,11 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. @@ -6428,6 +6571,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6446,9 +6590,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag, and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -6477,6 +6621,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6495,7 +6640,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -6526,6 +6671,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6544,7 +6690,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -6552,7 +6698,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -6577,6 +6724,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6595,7 +6743,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -6626,6 +6774,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6644,13 +6793,13 @@ ADMX Info: -This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -6675,6 +6824,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6726,6 +6876,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6750,7 +6901,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -6781,6 +6932,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6799,13 +6951,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -6830,6 +6982,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6851,7 +7004,7 @@ ADMX Info: This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. > [!NOTE] -> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect. +> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) policy is not enabled, then this policy has no effect. If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. @@ -6905,6 +7058,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6923,7 +7077,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -6954,6 +7108,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -6972,7 +7127,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -7003,6 +7158,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7021,7 +7177,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -7050,6 +7206,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7068,7 +7225,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -7099,6 +7256,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7117,13 +7275,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. @@ -7148,6 +7306,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7166,9 +7325,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -7197,6 +7356,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7215,7 +7375,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -7246,6 +7406,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7264,7 +7425,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -7272,7 +7433,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -7297,6 +7459,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7315,7 +7478,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -7346,6 +7509,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7364,13 +7528,13 @@ ADMX Info: -This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -7395,6 +7559,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7446,6 +7611,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7470,7 +7636,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -7501,6 +7667,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7519,13 +7686,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -7550,6 +7717,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7568,7 +7736,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -7599,6 +7767,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7617,7 +7786,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -7648,6 +7817,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7666,7 +7836,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -7695,6 +7865,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7713,7 +7884,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -7744,6 +7915,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7762,13 +7934,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be in this zone, as set by Protection from Zone Elevation feature control. @@ -7793,6 +7965,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7811,9 +7984,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage whether, .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -7842,6 +8015,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7860,7 +8034,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -7891,6 +8065,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7909,7 +8084,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -7917,7 +8092,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -7942,6 +8118,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -7960,7 +8137,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -7991,6 +8168,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8042,6 +8220,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8066,7 +8245,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -8097,6 +8276,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8115,13 +8295,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -8146,6 +8326,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8170,7 +8351,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -8201,6 +8382,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8219,13 +8401,13 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. -If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. +If you do not configure this policy setting, users are queried to choose, whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -8250,6 +8432,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8268,7 +8451,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -8299,6 +8482,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8317,7 +8501,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -8346,6 +8530,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8364,7 +8549,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -8395,6 +8580,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8413,13 +8599,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. @@ -8444,6 +8630,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8462,9 +8649,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -8493,6 +8680,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8511,7 +8699,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -8542,6 +8730,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8560,7 +8749,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -8568,7 +8757,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -8593,6 +8783,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8611,7 +8802,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -8642,6 +8833,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8693,6 +8885,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8711,13 +8904,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -8742,6 +8935,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8760,7 +8954,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -8791,6 +8985,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8809,7 +9004,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -8840,6 +9035,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8858,7 +9054,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -8887,6 +9083,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8905,7 +9102,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -8936,6 +9133,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -8954,13 +9152,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. @@ -8985,6 +9183,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9003,9 +9202,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -9034,6 +9233,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9052,7 +9252,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -9083,6 +9283,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9101,7 +9302,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -9109,7 +9310,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -9134,6 +9336,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9152,7 +9355,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -9183,6 +9386,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9234,6 +9438,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9258,7 +9463,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -9289,6 +9494,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9307,13 +9513,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -9338,6 +9544,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9356,7 +9563,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -9387,6 +9594,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9405,7 +9613,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -9436,6 +9644,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9454,7 +9663,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -9483,6 +9692,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9501,7 +9711,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -9532,6 +9742,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9550,13 +9761,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. @@ -9581,6 +9792,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9599,9 +9811,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -9630,6 +9842,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9648,7 +9861,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -9679,6 +9892,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9697,7 +9911,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -9705,7 +9919,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -9730,6 +9945,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9748,7 +9964,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -9779,6 +9995,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9797,7 +10014,7 @@ ADMX Info: -This policy setting allows you to manage ActiveX controls not marked as safe. +This policy setting allows you to manage, ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. @@ -9830,6 +10047,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9854,7 +10072,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -9885,6 +10103,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9903,9 +10122,9 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. +If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. @@ -9934,6 +10153,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -9952,7 +10172,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -9983,6 +10203,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10001,7 +10222,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -10032,6 +10253,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10050,7 +10272,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -10079,6 +10301,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10097,7 +10320,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -10128,6 +10351,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10150,9 +10374,9 @@ This policy setting allows you to manage whether Web sites from less privileged If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. @@ -10177,6 +10401,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10195,9 +10420,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -10226,6 +10451,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10244,7 +10470,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -10275,6 +10501,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10293,7 +10520,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls whether, Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -10301,7 +10528,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -10326,6 +10554,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10344,7 +10573,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -10375,6 +10604,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10426,6 +10656,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10450,7 +10681,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -10481,6 +10712,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10499,13 +10731,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -10530,6 +10762,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10579,6 +10812,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10597,7 +10831,7 @@ ADMX Info: -This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. +This policy setting determines, whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type. @@ -10628,6 +10862,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10646,7 +10881,7 @@ ADMX Info: -This policy setting allows you to specify what is displayed when the user opens a new tab. +This policy setting allows you to specify, what is displayed when the user opens a new tab. If you enable this policy setting, you can choose which page to display when the user opens a new tab: blank page (about:blank), the first home page, the new tab page or the new tab page with my news feed. @@ -10689,6 +10924,7 @@ Supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10707,7 +10943,7 @@ Supported values: -This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. +This policy setting allows you to manage, whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes. @@ -10738,6 +10974,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10785,6 +11022,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10832,6 +11070,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10850,7 +11089,7 @@ ADMX Info: -Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. +Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation, if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes. @@ -10881,6 +11120,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10901,9 +11141,9 @@ ADMX Info: This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer. -If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. +If you enable this policy setting, users won't see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. -If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. +If you disable or don't configure this policy setting, users will see the "Run this time" button on the warning message that appears, when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. @@ -10930,6 +11170,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -10979,6 +11220,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11028,6 +11270,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11046,7 +11289,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -11077,6 +11320,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11095,7 +11339,7 @@ ADMX Info: -This policy setting allows you to manage whether script code on pages in the zone is run. +This policy setting allows you to manage, whether script code on pages in the zone is run. If you enable this policy setting, script code on pages in the zone can run automatically. If you select Prompt in the drop-down box, users are queried to choose whether to allow script code on pages in the zone to run. @@ -11126,6 +11370,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11144,7 +11389,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -11175,6 +11420,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11193,7 +11439,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -11222,6 +11468,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11271,6 +11518,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11289,7 +11537,7 @@ ADMX Info: -This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. +This policy setting allows you to manage, whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region. If you enable this policy setting, a script can perform a clipboard operation. @@ -11322,6 +11570,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11340,7 +11589,7 @@ ADMX Info: -This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone. +This policy setting allows you to manage, whether users can drag files or copy and paste files from a source within the zone. If you enable this policy setting, users can drag files or copy and paste files from this zone automatically. If you select Prompt in the drop-down box, users are queried to choose whether to drag or copy files from this zone. @@ -11371,6 +11620,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11389,7 +11639,7 @@ ADMX Info: -This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. +This policy setting allows you to manage, whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered. If you enable this policy setting, files can be downloaded from the zone. @@ -11420,6 +11670,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11438,7 +11689,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -11469,6 +11720,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11487,13 +11739,13 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. -If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. @@ -11518,6 +11770,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11567,6 +11820,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11585,7 +11839,7 @@ ADMX Info: -This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. +This policy setting allows you to manage, whether a user's browser can be redirected to another Web page, if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page. If you enable this policy setting, a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page. @@ -11616,6 +11870,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11634,9 +11889,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -11665,6 +11920,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11685,7 +11941,7 @@ ADMX Info: This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control. -If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or from all sites. +If you enable this policy setting, the user is prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control, to run from the current site or from all sites. If you disable this policy setting, the user does not see the per-site ActiveX prompt, and ActiveX controls can run from all sites in this zone. @@ -11712,6 +11968,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11730,7 +11987,7 @@ ADMX Info: -This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites. +This policy setting controls, whether or not the user is allowed to run the TDC ActiveX control on websites. If you enable this policy setting, the TDC ActiveX control will not run from websites in this zone. @@ -11759,6 +12016,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11777,13 +12035,13 @@ ADMX Info: -This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars. +This policy setting allows you to manage restrictions on script-initiated pop-up windows, and windows that include the title and status bars. If you enable this policy setting, Windows Restrictions security will not apply in this zone. The security zone runs without the added layer of security provided by this feature. -If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +If you disable this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone, as dictated by the Scripted Windows Security Restrictions feature control setting for the process. -If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process. +If you do not configure this policy setting, the possible harmful actions contained in script-initiated pop-up windows, and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone<> as dictated by the Scripted Windows Security Restrictions feature control setting for the process. @@ -11808,6 +12066,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11826,7 +12085,7 @@ ADMX Info: -This policy setting determines whether a page can control embedded WebBrowser controls via script. +This policy setting determines, whether a page can control embedded WebBrowser controls via script. If you enable this policy setting, script access to the WebBrowser control is allowed. @@ -11857,6 +12116,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11875,7 +12135,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -11906,6 +12166,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11924,7 +12185,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -11932,7 +12193,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -11957,6 +12219,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -11975,7 +12238,7 @@ ADMX Info: -This policy setting allows you to manage whether script is allowed to update the status bar within the zone. +This policy setting allows you to manage, whether script is allowed to update the status bar within the zone. If you enable this policy setting, script is allowed to update the status bar. @@ -12004,6 +12267,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12022,7 +12286,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -12053,6 +12317,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12071,7 +12336,7 @@ ADMX Info: -This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer. +This policy setting allows you to manage, whether VBScript can be run on pages from the specified zone in Internet Explorer. If you selected Enable in the drop-down box, VBScript can run without user intervention. @@ -12104,6 +12369,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12122,13 +12388,13 @@ ADMX Info: -This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -12153,6 +12419,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12171,7 +12438,7 @@ ADMX Info: -This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone. +This policy setting allows you to manage, whether users may download signed ActiveX controls from a page in the zone. If you enable this policy, users can download signed controls without user intervention. If you select Prompt in the drop-down box, users are queried whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded. @@ -12202,6 +12469,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12220,7 +12488,7 @@ ADMX Info: -This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. +This policy setting allows you to manage, whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone. If you enable this policy setting, users can run unsigned controls without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to allow the unsigned control to run. @@ -12251,6 +12519,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12269,7 +12538,7 @@ ADMX Info: -This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. +This policy controls, whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone. If you enable this policy setting, the XSS Filter is turned on for sites in this zone, and the XSS Filter attempts to block cross-site script injections. @@ -12298,6 +12567,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12316,15 +12586,15 @@ ADMX Info: -This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows. +This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in different windows. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change this setting. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when both the source and destination are in different windows. Users cannot change this setting. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in different windows. Users can change this setting in the Internet Options dialog. -In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot change this setting. +In Internet Explorer 9 and earlier versions, if you disable this policy or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in different windows. Users cannot change this setting. @@ -12349,6 +12619,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12367,15 +12638,15 @@ ADMX Info: -This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window. +This policy setting allows you to set options for dragging content from one domain to a different domain, when the source and destination are in the same window. -If you enable this policy setting and click Enable, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting. +If you enable this policy setting and click Enable, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting. -If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +If you enable this policy setting and click Disable, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. -In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. +In Internet Explorer 10, if you disable this policy setting or do not configure it, users cannot drag content from one domain to a different domain, when the source and destination are in the same window. Users can change this setting in the Internet Options dialog. -In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. +In Internet Explorer 9 and earlier versions, if you disable this policy setting or do not configure it, users can drag content from one domain to a different domain, when the source and destination are in the same window. Users cannot change this setting in the Internet Options dialog. @@ -12400,6 +12671,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12449,6 +12721,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12467,13 +12740,13 @@ ADMX Info: -This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. +This policy setting controls, whether or not local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path. If you enable this policy setting, path information is sent when the user is uploading a file via an HTML form. If you disable this policy setting, path information is removed when the user is uploading a file via an HTML form. -If you do not configure this policy setting, the user can choose whether path information is sent when he or she is uploading a file via an HTML form. By default, path information is sent. +If you do not configure this policy setting, the user can choose whether path information is sent, when he or she is uploading a file via an HTML form. By default, path information is sent. @@ -12498,6 +12771,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12549,6 +12823,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12573,7 +12848,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -12604,6 +12879,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12622,7 +12898,7 @@ ADMX Info: -This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. +This policy setting allows you to manage, whether applications may be run and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone. If you enable this policy setting, users can run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down box, users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone. @@ -12653,6 +12929,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12675,7 +12952,7 @@ This policy setting allows you to manage settings for logon options. If you enable this policy setting, you can choose from the following logon options. -Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol. +Anonymous logon to disable HTTP authentication, and use the guest account only for the Common Internet File System (CIFS) protocol. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session. @@ -12710,6 +12987,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12728,9 +13006,9 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. +If you enable this policy setting, users can open additional windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. @@ -12759,6 +13037,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12777,7 +13056,7 @@ ADMX Info: -This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone. +This policy setting allows you to manage, whether ActiveX controls and plug-ins can be run on pages from the specified zone. If you enable this policy setting, controls and plug-ins can run without user intervention. @@ -12810,6 +13089,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12828,9 +13108,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute signed managed components. +If you enable this policy setting, Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute signed managed components. If you disable this policy setting, Internet Explorer will not execute signed managed components. @@ -12859,6 +13139,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12877,7 +13158,7 @@ ADMX Info: -This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script. +This policy setting allows you to manage, whether an ActiveX control marked safe for scripting can interact with a script. If you enable this policy setting, script interaction can occur automatically without user intervention. @@ -12910,6 +13191,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12928,7 +13210,7 @@ ADMX Info: -This policy setting allows you to manage whether applets are exposed to scripts within the zone. +This policy setting allows you to manage, whether applets are exposed to scripts within the zone. If you enable this policy setting, scripts can access applets automatically without user intervention. @@ -12961,6 +13243,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -12979,7 +13262,7 @@ ADMX Info: -This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). +This policy setting controls, whether or not the "Open File - Security Warning" message appears, when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you enable this policy setting and set the drop-down box to Enable, these files open without a security warning. If you set the drop-down box to Prompt, a security warning appears before the files open. @@ -13010,6 +13293,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13059,6 +13343,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13077,7 +13362,7 @@ ADMX Info: -This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. +This policy setting allows you to manage, whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked. If you enable this policy setting, most unwanted pop-up windows are prevented from appearing. @@ -13108,6 +13393,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13126,13 +13412,13 @@ ADMX Info: -Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. +Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts pop-up windows, and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. -If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. +If you enable this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. -If you disable this policy setting, scripts can continue to create popup windows and windows that obfuscate other windows. +If you disable this policy setting, scripts can continue to create pop-up windows and windows that obfuscate other windows. -If you do not configure this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes. +If you do not configure this policy setting, pop-up windows and other restrictions apply for File Explorer and Internet Explorer processes. @@ -13157,6 +13443,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13177,7 +13464,10 @@ ADMX Info: This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. -If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. +If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. + +> [!NOTE] +> This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. If you disable or do not configure this policy setting, the user can configure his or her list of search providers. @@ -13204,6 +13494,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13254,6 +13545,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13272,7 +13564,7 @@ ADMX Info: -This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List. +This setting lets you decide, whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting, and you must include at least one site in the Enterprise Mode Site List. If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. @@ -13324,6 +13616,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13371,6 +13664,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13389,7 +13683,7 @@ ADMX Info: -This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). +This policy setting allows you to manage, whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. @@ -13420,6 +13714,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13438,7 +13733,7 @@ ADMX Info: -This policy setting manages whether users will be automatically prompted for ActiveX control installations. +This policy setting manages, whether users will be automatically prompted for ActiveX control installations. If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. @@ -13469,6 +13764,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13487,7 +13783,7 @@ ADMX Info: -This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. +This policy setting determines, whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. If you enable this setting, users will receive a file download dialog for automatic download attempts. @@ -13516,6 +13812,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13534,7 +13831,7 @@ ADMX Info: -This policy setting allows you to manage whether pages of the zone may download HTML fonts. +This policy setting allows you to manage, whether pages of the zone may download HTML fonts. If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. @@ -13565,6 +13862,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13583,11 +13881,11 @@ ADMX Info: -This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. +This policy setting allows you to manage, whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. -If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. -If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone, as set by Protection from Zone Elevation feature control. If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. @@ -13614,6 +13912,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13632,9 +13931,9 @@ ADMX Info: -This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. +This policy setting allows you to manage, whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. -If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine, whether to execute unsigned managed components. If you disable this policy setting, Internet Explorer will not execute unsigned managed components. @@ -13663,6 +13962,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13681,7 +13981,7 @@ ADMX Info: -This policy setting allows you to manage whether the user can run scriptlets. +This policy setting allows you to manage, whether the user can run scriptlets. If you enable this policy setting, the user can run scriptlets. @@ -13712,6 +14012,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13730,7 +14031,7 @@ ADMX Info: -This policy setting controls whether Windows Defender SmartScreen scans pages in this zone for malicious content. +This policy setting controls, whether Windows Defender SmartScreen scans pages in this zone for malicious content. If you enable this policy setting, Windows Defender SmartScreen scans pages in this zone for malicious content. @@ -13738,7 +14039,8 @@ If you disable this policy setting, Windows Defender SmartScreen does not scan p If you do not configure this policy setting, the user can choose whether Windows Defender SmartScreen scans pages in this zone for malicious content. -Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. +> [!NOTE] +> In Internet Explorer 7, this policy setting controls whether Phishing Filter, scans pages in this zone for malicious content. @@ -13763,6 +14065,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13781,7 +14084,7 @@ ADMX Info: -This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored, if this policy setting is appropriately configured. If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. @@ -13812,6 +14115,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13830,13 +14134,13 @@ ADMX Info: -This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. +This policy setting determines, whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages. -If you enable this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you enable this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you disable this policy setting, Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. +If you disable this policy setting, Internet Explorer always checks with your antimalware program, to see if it's safe to create an instance of the ActiveX control. -If you don't configure this policy setting, Internet Explorer won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. +If you don't configure this policy setting, Internet Explorer won't check with your antimalware program, to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer Security settings. @@ -13861,6 +14165,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13912,6 +14217,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13936,7 +14242,7 @@ If you enable this policy setting, you can choose options from the drop-down box Low Safety enables applets to perform all operations. -Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer) and user-controlled file I/O. +Medium Safety enables applets to run in their sandbox (an area in memory outside of which the program cannot make calls), plus capabilities like scratch space (a safe and secure storage area on the client computer), and user-controlled file I/O. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running. @@ -13967,6 +14273,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -13985,13 +14292,13 @@ ADMX Info: -This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. +This policy setting allows you to manage the opening of windows and frames, and access of applications across different domains. -If you enable this policy setting, users can open windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. +If you enable this policy setting, users can open windows and frames from other domains, and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. If you disable this policy setting, users cannot open windows and frames to access applications from different domains. -If you do not configure this policy setting, users can open windows and frames from other domains and access applications from other domains. +If you do not configure this policy setting, users can open windows and frames from other domains, and access applications from other domains. @@ -14007,3 +14314,7 @@ ADMX Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index f8ed8cecde..21732fed2a 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Kerberos -
    @@ -54,7 +53,6 @@ manager: dansimp > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    @@ -66,6 +64,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -112,6 +111,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -138,8 +138,8 @@ This policy allows retrieving the cloud Kerberos ticket during the sign in. Valid values: -0 (default) - Disabled. -1 - Enabled. +0 (default) - Disabled +1 - Enabled @@ -164,6 +164,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -181,7 +182,7 @@ ADMX Info: -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring, using Kerberos authentication with domains that support these features. If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains that support claims and compound authentication for Dynamic Access Control and Kerberos armoring. If you disable or don't configure this policy setting, the client devices won't request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device won't be able to retrieve claims for clients using Kerberos protocol transition. @@ -209,6 +210,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -263,6 +265,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -280,9 +283,10 @@ ADMX Info: -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. +This policy setting controls whether a computer requires that Kerberos message exchanges being armored when communicating with a domain controller. -Warning: When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. +> [!WARNING] +> When a domain doesn't support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. @@ -314,6 +318,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -335,7 +340,7 @@ This policy setting controls the Kerberos client's behavior in validating the KD If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer isn't joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. -If you disable or don't configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server. +If you disable or don't configure this policy setting, the Kerberos client requires only the KDC certificate that contains the Server Authentication purpose object identifier in the EKU extensions that can be issued to any server. @@ -360,6 +365,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -386,7 +392,7 @@ If you enable this policy setting, the Kerberos client or server uses the config If you disable or don't configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. > [!NOTE] -> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes. +> This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8, the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it's not advised to set this value more than 48,000 bytes. @@ -411,6 +417,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -428,9 +435,9 @@ ADMX Info: -Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it can't resolve a UPN to a principal. +Adds a list of domains that an Azure Active Directory joined device can attempt to contact, when it can't resolve a UPN to a principal. -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This limitation can cause failures, when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. @@ -447,3 +454,6 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index ec353dc9aa..e5a08afafe 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - KioskBrowser - - These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). @@ -60,6 +58,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,6 +95,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -132,6 +132,7 @@ List of blocked website URLs (with wildcard support). This policy is used to con |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -168,6 +169,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -201,6 +203,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -237,6 +240,7 @@ Enable/disable kiosk browser's home button. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -273,6 +277,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back). |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -290,7 +295,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back). -Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. +Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser. @@ -301,4 +306,8 @@ The value is an int 1-1440 that specifies the number of minutes the session is i
    - \ No newline at end of file + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md index abd1293e59..40e82cbc5d 100644 --- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md +++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - LanmanWorkstation - -
    @@ -27,7 +25,6 @@ manager: dansimp -
    @@ -39,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -56,13 +54,13 @@ manager: dansimp -This policy setting determines if the SMB client will allow insecure guest sign ins to an SMB server. +This policy setting determines, if the SMB client will allow insecure guest sign in to an SMB server. -If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign ins. +If you enable this policy setting or if you don't configure this policy setting, the SMB client will allow insecure guest sign in. -If you disable this policy setting, the SMB client will reject insecure guest sign ins. +If you disable this policy setting, the SMB client will reject insecure guest sign in. -Insecure guest sign ins are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign ins are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication and don't use insecure guest sign ins by default. Since insecure guest sign ins are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign ins are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign ins and configuring file servers to require authenticated access. +Insecure guest sign in are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment, insecure guest sign in are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. Windows file servers require authentication, and don't use insecure guest sign in by default. Since insecure guest sign in are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest sign in are vulnerable to various man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest sign in is potentially accessible to anyone on the network. Microsoft recommends disabling insecure guest sign in and configuring file servers to require authenticated access. @@ -82,3 +80,6 @@ This setting supports a range of values between 0 and 1. +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md index 430b7af709..80e2f0bd5a 100644 --- a/windows/client-management/mdm/policy-csp-licensing.md +++ b/windows/client-management/mdm/policy-csp-licensing.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Licensing - -
    @@ -30,7 +28,6 @@ manager: dansimp -
    @@ -42,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -90,6 +88,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -121,8 +120,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) – Disabled. -- 1 – Enabled. +- 0 (default) – Disabled +- 1 – Enabled @@ -131,3 +130,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index affd8a51ea..af2cf856e3 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -182,6 +182,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -201,13 +202,15 @@ manager: dansimp This policy setting prevents users from adding new Microsoft accounts on this computer. -If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. +If you select the "Users cannot add Microsoft accounts" option, users won't be able to create new Microsoft accounts on this computer. Switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This option is the preferred option if you need to limit the use of Microsoft accounts in your enterprise. If you select the "Users cannot add or log on with Microsoft accounts" option, existing Microsoft account users won't be able to sign in to Windows. Selecting this option might make it impossible for an existing administrator on this computer to sign in and manage the system. If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -236,6 +239,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -255,7 +259,9 @@ The following list shows the supported values: This setting allows the administrator to enable the local Administrator account. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -283,6 +289,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -302,7 +309,9 @@ The following list shows the supported values: This setting allows the administrator to enable the guest Administrator account. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -331,6 +340,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -352,16 +362,19 @@ Accounts: Limit local account use of blank passwords to console logon only This security setting determines whether local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. If enabled, local accounts that aren't password protected will only be able to sign in at the computer's keyboard. -Default: Enabled. +Default: Enabled > [!WARNING] > Computers that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can sign in by using a user account that doesn't have a password. This is especially important for portable computers. -If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. +> +> If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. -This setting doesn't affect sign ins that use domain accounts. -It's possible for applications that use remote interactive sign ins to bypass this setting. +This setting doesn't affect sign in that use domain accounts. +It's possible for applications that use remote interactive sign in to bypass this setting. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -372,8 +385,8 @@ GP Info: Valid values: -- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console -- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard +- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console. +- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard. @@ -389,6 +402,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -410,9 +424,11 @@ Accounts: Rename administrator account This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password combination. -Default: Administrator. +Default: Administrator -Value type is string. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -434,6 +450,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -455,9 +472,11 @@ Accounts: Rename guest account This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. -Default: Guest. +Default: Guest -Value type is string. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -479,6 +498,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -496,10 +516,11 @@ GP Info: -Devices: Allow undock without having to sign in. +Devices: Allow undock without having to sign in This security setting determines whether a portable computer can be undocked without having to sign in. If this policy is enabled, sign in isn't required and an external hardware eject button can be used to undock the computer. If disabled, a user must sign in and have the Remove computer from docking station privilege to undock the computer. -Default: Enabled. + +Default: Enabled > [!CAUTION] > Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -524,6 +545,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -545,8 +567,8 @@ Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: -- Administrators -- Administrators and Interactive Users +- Administrators. +- Administrators and Interactive Users. Default: This policy isn't defined, and only Administrators have this ability. @@ -570,6 +592,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -591,7 +614,7 @@ Devices: Prevent users from installing printer drivers when connecting to shared For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install a printer driver as part of connecting to a shared printer. If this setting is disabled, any user can install a printer driver as part of connecting to a shared printer. -Default on servers: Enabled. +Default on servers: Enabled Default on workstations: Disabled >[!NOTE] @@ -617,6 +640,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -662,6 +686,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -679,10 +704,11 @@ GP Info: -Interactive Logon: Display user information when the session is locked +Interactive Logon: Display user information when the session is locked - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -693,9 +719,9 @@ GP Info: Valid values: -- 1 - User display name, domain and user names -- 2 - User display name only -- 3 - Don't display user information +- 1 - User display name, domain and user names. +- 2 - User display name only. +- 3 - Don't display user information. @@ -711,6 +737,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -731,13 +758,16 @@ Valid values: Interactive logon: Don't display last signed-in This security setting determines whether the Windows sign-in screen will show the username of the last person who signed in on this PC. + If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. -Default: Disabled. +Default: Disabled -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -748,8 +778,8 @@ GP Info: Valid values: -- 0 - disabled (username will be shown) -- 1 - enabled (username won't be shown) +- 0 - disabled (username will be shown). +- 1 - enabled (username won't be shown). @@ -765,6 +795,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -790,9 +821,11 @@ If this policy is enabled, the username won't be shown. If this policy is disabled, the username will be shown. -Default: Disabled. +Default: Disabled -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -803,8 +836,8 @@ GP Info: Valid values: -- 0 - disabled (username will be shown) -- 1 - enabled (username won't be shown) +- 0 - disabled (username will be shown). +- 1 - enabled (username won't be shown). @@ -820,6 +853,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -845,10 +879,12 @@ If this policy is enabled on a computer, a user isn't required to press CTRL+ALT If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to Windows. -Default on domain-computers: Enabled: At least Windows 8/Disabled: Windows 7 or earlier. -Default on stand-alone computers: Enabled. +Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 or earlier. +Default on stand-alone computers: Enabled -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -859,8 +895,8 @@ GP Info: Valid values: -- 0 - disabled -- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in) +- 0 - disabled. +- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in). @@ -876,6 +912,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -893,13 +930,15 @@ Valid values: -Interactive logon: Machine inactivity limit. +Interactive logon: Machine inactivity limit Windows notices inactivity of a sign-in session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. -Default: not enforced. +Default: Not enforced -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -925,6 +964,7 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -946,11 +986,13 @@ Interactive logon: Message text for users attempting to sign in This security setting specifies a text message that is displayed to users when they sign in. -This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. +This text is often used for legal reasons. For example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. -Default: No message. +Default: No message -Value type is string. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -972,6 +1014,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -993,9 +1036,11 @@ Interactive logon: Message title for users attempting to sign in This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to sign in. -Default: No message. +Default: No message -Value type is string. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -1017,6 +1062,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1040,16 +1086,16 @@ This security setting determines what happens when the smart card for a logged-o The options are: - No Action - Lock Workstation - Force Logoff - Disconnect if a Remote Desktop Services session +- No Action +- Lock Workstation +- Force Logoff +- Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. If you click Force Logoff in the Properties dialog box for this policy, the user is automatically signed off when the smart card is removed. -If you click Disconnect if a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation. +If you click Disconnect on a Remote Desktop Services session, removal of the smart card disconnects the session without logging off the user. This policy allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to sign in again. If the session is local, this policy functions identically to Lock Workstation. > [!NOTE] > Remote Desktop Services was called Terminal Services in previous versions of Windows Server. @@ -1077,6 +1123,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1096,14 +1143,14 @@ GP Info: Microsoft network client: Digitally sign communications (always) -This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. +This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. -Default: Disabled. +Default: Disabled > [!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: > - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. > - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. > - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. @@ -1131,6 +1178,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1152,11 +1200,11 @@ Microsoft network client: Digitally sign communications (if server agrees) This security setting determines whether the SMB client attempts to negotiate SMB packet signing. -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. +The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB client component attempts to negotiate SMB packet signing when it connects to an SMB server. If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. -Default: Enabled. +Default: Enabled > [!Note] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: @@ -1189,6 +1237,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1212,7 +1261,7 @@ If this security setting is enabled, the Server Message Block (SMB) redirector i Sending unencrypted passwords is a security risk. -Default: Disabled. +Default: Disabled @@ -1234,6 +1283,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1294,6 +1344,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1315,9 +1366,9 @@ Microsoft network server: Digitally sign communications (always) This security setting determines whether packet signing is required by the SMB server component. -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. +The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. -If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. +If this setting is enabled, the Microsoft network server won't communicate with a Microsoft network client, unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. Default: Disabled for member servers. Enabled for domain controllers. @@ -1352,6 +1403,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1373,7 +1425,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. -The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. +The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether the SMB server will negotiate SMB packet signing when an SMB client requests it. If this setting is enabled, the Microsoft network server will negotiate SMB packet signing as requested by the client. That is, if packet signing has been enabled on the client, packet signing will be negotiated. If this policy is disabled, the SMB client will never negotiate SMB packet signing. @@ -1410,6 +1462,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1438,8 +1491,8 @@ This security option allows more restrictions to be placed on anonymous connecti Enabled: Don't allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No extra restrictions. Rely on default permissions. -Default on workstations: Enabled. -Default on server: Enabled. +Default on workstations: Enabled +Default on server: Enabled > [!IMPORTANT] > This policy has no impact on domain controllers. @@ -1464,6 +1517,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1487,7 +1541,7 @@ This security setting determines whether anonymous enumeration of SAM accounts a Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This feature is convenient, for example, when an administrator wants to grant access to users in a trusted domain that doesn't maintain a reciprocal trust. If you don't want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. -Default: Disabled. +Default: Disabled @@ -1509,6 +1563,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1530,9 +1585,9 @@ Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: -Network access: Named pipes that can be accessed anonymously -Network access: Shares that can be accessed anonymously -Default: Enabled. +- Network access: Named pipes that can be accessed anonymously. +- Network access: Shares that can be accessed anonymously. +- Default: Enabled. @@ -1554,6 +1609,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1599,6 +1655,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1631,8 +1688,8 @@ GP Info: Valid values: -- 0 - Disabled -- 1 - Enabled (Allow Local System to use computer identity for NTLM.) +- 0 - Disabled. +- 1 - Enabled (Allow Local System to use computer identity for NTLM). @@ -1648,6 +1705,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1669,8 +1727,9 @@ Network security: Allow PKU2U authentication requests to this computer to use on This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -1681,8 +1740,8 @@ GP Info: Valid values: -- 0 - disabled -- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities.) +- 0 - disabled. +- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities). @@ -1698,6 +1757,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1719,9 +1779,8 @@ Network security: Don't store LAN Manager hash value on next password change This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database, the passwords can be compromised if the security database is attacked. - -Default on Windows Vista and above: Enabled -Default on Windows XP: Disabled. +- Default on Windows Vista and above: Enabled +- Default on Windows XP: Disabled @@ -1743,6 +1802,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1762,27 +1822,27 @@ GP Info: Network security LAN Manager authentication level -This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: +This security setting determines which challenge/response authentication protocol is used for network logon. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: -Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. +- Send LM and NTLM responses: Clients use LM and NTLM authentication and never use NTLMv2 session security; domain controllers accept LM, NTLM, and NTLMv2 authentication. -Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. +- Send LM and NTLM - use NTLMv2 session security if negotiated: Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. -Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. +- Send NTLM response only: Clients use NTLM authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. -Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. +- Send NTLMv2 response only: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers accept LM, NTLM, and NTLMv2 authentication. -Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). +- Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). -Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). +- Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). -Default: +- Default: -windows XP: send LM and NTLM responses +- windows XP: send LM and NTLM responses. -Windows Server 2003: Send NTLM response only +- Windows Server 2003: Send NTLM response only. -Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only +Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send NTLMv2 response only. @@ -1804,6 +1864,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1828,11 +1889,11 @@ This security setting allows a client device to require the negotiation of 128-b - Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. - Require 128-bit encryption: The connection will fail if strong encryption (128-bit) isn't negotiated. -Default: +- Default: -Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. +- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. +- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. @@ -1854,6 +1915,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1875,14 +1937,15 @@ Network security: Minimum session security for NTLM SSP based (including secure This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: -Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. -Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated. +- Require NTLMv2 session security: The connection will fail if message integrity isn't negotiated. -Default: +- Require 128-bit encryption. The connection will fail if strong encryption (128-bit) isn't negotiated. -Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. +- Default: -Windows 7 and Windows Server 2008 R2: Require 128-bit encryption +- Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. + +- Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. @@ -1904,6 +1967,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1923,13 +1987,13 @@ GP Info: Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication -This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. +This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication, if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you can define a list of remote servers to which clients are allowed to use NTLM authentication. If you don't configure this policy setting, no exceptions will be applied. -The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character. +The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used by the application, listed one per line. To ensure exceptions, the name used by all applications needs to be in the list, and to ensure an exception is accurate, the server name should be listed in both naming formats. A single asterisk (*) can be used anywhere in the string as a wildcard character. @@ -1960,6 +2024,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2021,6 +2086,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2082,6 +2148,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2143,6 +2210,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2168,10 +2236,12 @@ When this policy is enabled, the Shut Down command is available on the Windows l When this policy is disabled, the option to shut down the computer doesn't appear on the Windows logon screen. In this case, users must be able to sign in to the computer successfully and have the Shut down the system user right before they can perform a system shutdown. -Default on workstations: Enabled. -Default on servers: Disabled. +- Default on workstations: Enabled. +- Default on servers: Disabled. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2182,8 +2252,8 @@ GP Info: Valid values: -- 0 - disabled -- 1 - enabled (allow system to be shut down without having to sign in) +- 0 - disabled. +- 1 - enabled (allow system to be shut down without having to sign in). @@ -2199,6 +2269,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2224,7 +2295,7 @@ Virtual memory support uses a system pagefile to swap pages of memory to disk wh When this policy is enabled, it causes the system pagefile to be cleared upon clean shutdown. If you enable this security option, the hibernation file (hiberfil.sys) is also zeroed out when hibernation is disabled. -Default: Disabled. +Default: Disabled @@ -2246,6 +2317,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2273,7 +2345,9 @@ Disabled: (Default) The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2284,8 +2358,8 @@ GP Info: Valid values: -- 0 - disabled -- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop) +- 0 - disabled. +- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop). @@ -2301,6 +2375,7 @@ Valid values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2340,7 +2415,9 @@ The options are: - 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2362,6 +2439,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2380,9 +2458,12 @@ GP Info: User Account Control: Behavior of the elevation prompt for standard users + This policy setting controls the behavior of the elevation prompt for standard users. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2394,9 +2475,9 @@ GP Info: The following list shows the supported values: -- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. +- 0 - Automatically deny elevation requests: When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user, may choose this setting to reduce help desk calls. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- 3 (Default) - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. @@ -2412,6 +2493,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2435,9 +2517,9 @@ This policy setting controls the behavior of application installation detection The options are: -Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- Enabled: (Default) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. +- Disabled: Application installation packages aren't detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies such as Group Policy Software Installation or Systems Management Server (SMS) should disable this policy setting. In this case, installer detection is unnecessary. @@ -2459,6 +2541,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2478,13 +2561,15 @@ GP Info: User Account Control: Only elevate executable files that are signed and validated -This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local computers. +This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run, by adding certificates to the Trusted Publishers certificate store on local computers. The options are: - 0 - Disabled: (Default) Doesn't enforce PKI certification path validation before a given executable file is permitted to run. - 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2506,6 +2591,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2525,7 +2611,7 @@ GP Info: User Account Control: Only elevate UIAccess applications that are installed in secure locations -This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations: +This policy setting controls, whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following locations: - .\Program Files\, including subfolders - .\Windows\system32\ @@ -2538,7 +2624,9 @@ The options are: - 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system. - 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2560,6 +2648,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2587,10 +2676,11 @@ The options are: > [!NOTE] > If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced. -- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. +- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2612,6 +2702,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2637,7 +2728,9 @@ The options are: - 0 - Disabled: All elevation requests go to the interactive user's desktop. Prompt behavior policy settings for administrators and standard users are used. - 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2659,6 +2752,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2706,6 +2800,7 @@ GP Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2727,7 +2822,9 @@ User Account Control: Virtualize file and registry write failures to per-user lo This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +This policy supports the following: +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -2746,5 +2843,8 @@ The following list shows the supported values:
    - + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md index fb1249a953..acd43127cc 100644 --- a/windows/client-management/mdm/policy-csp-localusersandgroups.md +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -25,7 +25,6 @@ manager: dansimp -
    @@ -37,11 +36,11 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -
    @@ -86,7 +85,7 @@ where: > [!NOTE] > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk". For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy. -for more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). +For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea). See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. @@ -94,7 +93,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura > - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. > - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. > - `` is not valid for the R (Restrict) action and will be ignored if present. -> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. +> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. @@ -120,7 +119,7 @@ The following example updates the built-in administrators group with AAD account Example 2: Replace / Restrict the built-in administrators group with an AAD user account. > [!NOTE] -> When using ‘R’ replace option to configure the built-in ‘Administrators’ group, it is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. +> When using ‘R’ replace option to configure the built-in ‘Administrators’ group. It is required to always specify the administrator as a member + any other custom members. This is because the built-in administrator must always be a member of the administrators group. Example: ```xml @@ -132,6 +131,7 @@ Example: ``` + Example 3: Update action for adding and removing group members on a hybrid joined machine. The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists. @@ -147,7 +147,6 @@ The following example shows how you can update a local group (**Administrators** ``` - @@ -157,7 +156,7 @@ The following example shows how you can update a local group (**Administrators** > [!NOTE] > -> When AAD group SID’s are added to local groups, during AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: +> When AAD group SID’s are added to local groups, AAD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device: > > - Administrators > - Users @@ -296,5 +295,8 @@ To troubleshoot Name/SID lookup APIs: ``` - + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md index 90a9dc1bf5..97ea810006 100644 --- a/windows/client-management/mdm/policy-csp-lockdown.md +++ b/windows/client-management/mdm/policy-csp-lockdown.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - LockDown -
    @@ -26,7 +25,6 @@ manager: dansimp -
    @@ -38,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -57,7 +56,7 @@ manager: dansimp Allows the user to invoke any system user interface by swiping in from any screen edge using touch. -The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. +The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied, and then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange, that will also be disabled. @@ -80,3 +79,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md index c2cb4d83fd..6ee7e3956d 100644 --- a/windows/client-management/mdm/policy-csp-maps.md +++ b/windows/client-management/mdm/policy-csp-maps.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Maps - -
    @@ -30,7 +28,6 @@ manager: dansimp -
    @@ -42,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -85,6 +83,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -128,3 +127,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md index eea0f98401..92d62d27ee 100644 --- a/windows/client-management/mdm/policy-csp-memorydump.md +++ b/windows/client-management/mdm/policy-csp-memorydump.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - MemoryDump - -
    @@ -30,7 +28,6 @@ manager: dansimp -
    @@ -42,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -82,6 +80,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -115,3 +114,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index 7c01fe7a99..f002adc108 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Messaging - -
    @@ -27,7 +25,6 @@ manager: dansimp -
    @@ -39,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -80,3 +78,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 02d6f53ac3..69536145cf 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -68,12 +68,12 @@ Steps to use this policy correctly: 1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays 1. The value can be between min / max allowed. 1. Enroll HoloLens devices and verify both configurations get applied to the device. -1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. +1. Let Azure AD user 1 sign-in, when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created. 1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days. 1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they're a member of Azure AD group to which Kiosk configuration is targeted. > [!NOTE] -> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments. +> Until step 4 is performed for a Azure AD, user will experience failure behavior mentioned similar to “disconnected” environments.
    @@ -90,14 +90,14 @@ Steps to use this policy correctly: |HoloLens 2|Yes| -This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in. +This new AutoLogonUser policy controls whether a user will be automatically signed in. Some customers want to set up devices that are tied to an identity but don't want any sign-in experience. Imagine picking up a device and using remote assist immediately. Or have a benefit of being able to rapidly distribute HoloLens devices and enable their end users to speed up sign in. When the policy is set to a non-empty value, it specifies the email address of the auto log-on user. The specified user must sign in to the device at least once to enable autologon. The OMA-URI of new policy `./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoLogonUser` -String value +Supported value is String. - User with the same email address will have autologon enabled. @@ -106,7 +106,7 @@ On a device where this policy is configured, the user specified in the policy wi > [!NOTE] > > - Some events such as major OS updates may require the specified user to logon to the device again to resume auto-logon behavior. -> - Auto-logon is only supported for MSA and AAD users. +> - Auto-logon is only supported for Microsoft account and AAD users.
    @@ -121,7 +121,7 @@ On a device where this policy is configured, the user specified in the policy wi -This policy setting controls for how many days Azure AD group membership cache is allowed to be used for Assigned Access configurations targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions. +This policy setting controls, for how many days Azure AD group membership cache is allowed to be used for the Assigned Access configurations, targeting Azure AD groups for signed in user. Once this policy setting is set, only then cache is used, otherwise not. In order for this policy setting to take effect, user must sign out and sign in with Internet available at least once before the cache can be used for subsequent "disconnected" sessions. @@ -129,7 +129,7 @@ This policy setting controls for how many days Azure AD group membership cache i -- Integer value +Supported value is Integer. Supported values are 0-60. The default value is 0 (day) and maximum value is 60 (days). @@ -169,7 +169,7 @@ This policy setting controls if pressing the brightness button changes the brigh -- Boolean value +Supported values is Boolean. The following list shows the supported values: @@ -204,7 +204,7 @@ The following list shows the supported values: -This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). +This policy controls the behavior of moving platform feature on Hololens 2, that is, whether it's turned off / on, or it can be toggled by a user. It should only be used by customers who intend to use Hololens 2 in moving environments with low dynamic motion. For background information, see [HoloLens 2 Moving Platform Mode | Microsoft Docs](/hololens/hololens2-moving-platform#:~:text=Why%20Moving%20Platform%20Mode%20is%20Necessary%20HoloLens%20needs%2csimilar%20pieces%20of%20information%20from%20two%20separate%20sources:). @@ -212,7 +212,7 @@ This policy controls the behavior of moving platform feature on Hololens 2, that -- Integer value +Supported value is Integer. - 0 (Default) - Last set user's preference. Initial state is OFF and after that user's preference is persisted across reboots and is used to initialize the system. - 1 Force off - Moving platform is disabled and can't be changed by user. @@ -246,7 +246,7 @@ This policy controls the behavior of moving platform feature on Hololens 2, that -This policy setting controls when and if diagnostic logs can be collected using specific button combination on HoloLens. +This policy setting controls, when and if diagnostic logs can be collected using specific button combination on HoloLens. @@ -254,13 +254,13 @@ This policy setting controls when and if diagnostic logs can be collected using -- Integer value +Supporting value is Integer. The following list shows the supported values: -- 0 - Disabled -- 1 - Enabled for device owners -- 2 - Enabled for all (Default) +- 0 - Disabled. +- 1 - Enabled for device owners. +- 2 - Enabled for all (Default). @@ -298,12 +298,12 @@ This policy configures behavior of HUP to determine, which algorithm to use for -- Boolean value +Supporting value is Boolean. The following list shows the supported values: -- 0 - Feature – Default feature based / SLAM-based tracker (Default) -- 1 - Constellation – LR constellation based tracker +- 0 - Feature – Default feature based / SLAM-based tracker (Default). +- 1 - Constellation – LR constellation based tracker. @@ -341,7 +341,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not -- Boolean value +Supporting value is Boolean. The following list shows the supported values: @@ -384,7 +384,7 @@ This policy setting controls if pressing the volume button changes the volume or -- Boolean value +Supporting value is Boolean. The following list shows the supported values: @@ -419,7 +419,7 @@ The following list shows the supported values: -This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in if no other user has logged in on the device before. +This policy controls whether a visitor user will be automatically logged in. Visitor users can only be created and logged in, if an Assigned Access profile has been created targeting visitor users. A visitor user will only be automatically logged in, if no other user has logged in on the device before. @@ -427,7 +427,7 @@ This policy controls whether a visitor user will be automatically logged in. Vis -- Boolean value +Supported value is Boolean. The following list shows the supported values: @@ -439,3 +439,7 @@ The following list shows the supported values:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md index 812c96e877..c85466d3ee 100644 --- a/windows/client-management/mdm/policy-csp-mssecurityguide.md +++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - MSSecurityGuide -
    @@ -43,11 +42,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -60,6 +59,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -99,6 +99,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -139,6 +140,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -179,6 +181,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -219,6 +222,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -258,6 +262,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -287,6 +292,8 @@ ADMX Info:
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-msslegacy.md b/windows/client-management/mdm/policy-csp-msslegacy.md index 6f71a563e4..83db3103f2 100644 --- a/windows/client-management/mdm/policy-csp-msslegacy.md +++ b/windows/client-management/mdm/policy-csp-msslegacy.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - MSSLegacy -
    @@ -36,11 +35,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -53,6 +52,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -92,6 +92,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -132,6 +133,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -171,6 +173,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -201,6 +204,8 @@ ADMX Info:
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-multitasking.md b/windows/client-management/mdm/policy-csp-multitasking.md index 1bd998b15e..9f93048ae9 100644 --- a/windows/client-management/mdm/policy-csp-multitasking.md +++ b/windows/client-management/mdm/policy-csp-multitasking.md @@ -25,7 +25,6 @@ manager: dansimp -
    @@ -37,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -66,11 +66,11 @@ This policy only applies to the Alt+Tab switcher. When the policy isn't enabled, > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -96,3 +96,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md index 9dbb409924..4b81789c59 100644 --- a/windows/client-management/mdm/policy-csp-networkisolation.md +++ b/windows/client-management/mdm/policy-csp-networkisolation.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - NetworkIsolation - -
    @@ -48,7 +46,6 @@ manager: dansimp -
    @@ -60,6 +57,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -102,6 +100,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -157,6 +156,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -174,7 +174,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff -Integer value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. +Integer value that tells the client to accept the configured list and not to use heuristics to attempt and find other subnets. @@ -198,6 +198,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -240,6 +241,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -257,11 +259,10 @@ ADMX Info: -This list is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". +This is a list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected. These locations will be considered a safe destination for enterprise data to be shared to. This list is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". > [!NOTE] > The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -  Here are the steps to create canonical domain names: @@ -283,6 +284,7 @@ Here are the steps to create canonical domain names: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -325,6 +327,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -366,6 +369,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -399,4 +403,8 @@ ADMX Info:
    - \ No newline at end of file + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md index 1e7e152515..72328ad669 100644 --- a/windows/client-management/mdm/policy-csp-networklistmanager.md +++ b/windows/client-management/mdm/policy-csp-networklistmanager.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - NetworkListManager -
    @@ -29,7 +28,6 @@ manager: dansimp -
    @@ -41,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -84,6 +83,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must fo |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -107,3 +107,6 @@ This policy setting provides the string that is to be used to name a network. Th +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index cb70df917f..5d8350eed5 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - NewsAndInterests - -
    @@ -26,8 +24,6 @@ manager: dansimp NewsAndInterests/AllowNewsAndInterests - -
    @@ -39,6 +35,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -65,7 +62,7 @@ This policy specifies whether to allow the entire widgets experience, including The following are the supported values: -- 1 - Default - Allowed +- 1 - Default - Allowed. - 0 - Not allowed. @@ -82,5 +79,8 @@ ADMX Info:
    + - \ No newline at end of file +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 20823757ce..3039a6845a 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - Notifications - -
    @@ -48,6 +46,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,7 +70,7 @@ If you enable this policy setting, applications and system features won't be abl If you enable this policy setting, notifications can still be raised by applications running on the machine via local API calls from within the application. -If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in and applications will be allowed to use periodic (polling) notifications. +If you disable or don't configure this policy setting, the client computer will connect to WNS at user sign in, and applications will be allowed to use periodic (polling) notifications. No reboots or service restarts are required for this policy setting to take effect. @@ -93,9 +92,9 @@ This setting supports a range of values between 0 and 1. Validation: -1. Enable policy -2. Reboot machine -3. Ensure that you can't receive a notification from Facebook app while FB app isn't running +1. Enable policy. +2. Reboot machine. +3. Ensure that you can't receive a notification from Facebook app while FB app isn't running. @@ -111,6 +110,7 @@ Validation: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -130,7 +130,7 @@ Validation: Boolean value that turns off notification mirroring. -For each user signed in to the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. +For each user signed in to the device, if you enable this policy (set value to 1), the app and system notifications received by this user on this device won't get mirrored to other devices of the same signed-in user. If you disable or don't configure this policy (set value to 0), the notifications received by this user on this device will be mirrored to other devices of the same signed-in user. This feature can be turned off by apps that don't want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. No reboot or service restart is required for this policy to take effect. @@ -163,6 +163,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -203,9 +204,9 @@ This setting supports a range of values between 0 and 1. Validation: -1. Enable policy -2. Reboot machine -3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile) +1. Enable policy. +2. Reboot machine. +3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile). @@ -265,7 +266,8 @@ This policy setting determines which Windows Notification Service endpoint will If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. -Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. +> [!NOTE] +> Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. @@ -285,3 +287,7 @@ If the policy isn't specified, we'll default our connection to client.wns.window + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 30eb1c679f..ca3d7e34bd 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -93,11 +93,11 @@ manager: dansimp > [!TIP] -> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -176,6 +176,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -222,6 +223,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -268,6 +270,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -318,6 +321,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -341,7 +345,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -366,6 +370,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -422,6 +427,7 @@ Supported values: 0-100. The default is 70. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -477,6 +483,7 @@ Supported values: 0-100. The default is 70. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -500,7 +507,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -525,6 +532,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -548,11 +556,10 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. - ADMX Info: - GP Friendly name: *Specify the system hibernate timeout (plugged in)* @@ -574,6 +581,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -620,6 +628,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -666,6 +675,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -727,6 +737,7 @@ The following are the supported lid close switch actions (on battery): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -788,6 +799,7 @@ The following are the supported lid close switch actions (plugged in): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -849,6 +861,7 @@ The following are the supported Power button actions (on battery): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -910,6 +923,7 @@ The following are the supported Power button actions (plugged in): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -971,6 +985,7 @@ The following are the supported Sleep button actions (on battery): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1032,6 +1047,7 @@ The following are the supported Sleep button actions (plugged in): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1080,6 +1096,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1103,7 +1120,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or don't configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this slide show can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. @@ -1128,6 +1145,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1163,8 +1181,8 @@ ADMX Info: The following are the supported values for Hybrid sleep (on battery): -- 0 - no hibernation file for sleep (default) -- 1 - hybrid sleep +- 0 - no hibernation file for sleep (default). +- 1 - hybrid sleep. @@ -1186,6 +1204,7 @@ The following are the supported values for Hybrid sleep (on battery): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1221,8 +1240,8 @@ ADMX Info: The following are the supported values for Hybrid sleep (plugged in): -- 0 - no hibernation file for sleep (default) -- 1 - hybrid sleep +- 0 - no hibernation file for sleep (default). +- 1 - hybrid sleep. @@ -1244,6 +1263,7 @@ The following are the supported values for Hybrid sleep (plugged in): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1302,6 +1322,7 @@ Default value for unattended sleep timeout (on battery): |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1353,3 +1374,6 @@ Default value for unattended sleep timeout (plugged in): +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 48b7f7722b..3fe4de393e 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Printers -
    @@ -46,11 +45,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -105,7 +104,8 @@ manager: dansimp This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. + This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is `/[,/]` @@ -176,7 +176,8 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. + This policy will contain the comma separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is `/[,/]` @@ -244,7 +245,8 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. + This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. The default value of the policy will be Unconfigured. @@ -253,7 +255,6 @@ If the policy value is either Unconfigured or Disabled, the print spooler won't If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - @@ -320,7 +321,8 @@ ADMX Info: This policy implements the print portion of the Device Control requirements. -These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +These requirements include restricting printing to USB connected printers that match a list of approved USB Vid/Pid combinations or to corporate connected printers, while either directly connected to the corporate network or when using a VPN connection to the corporate network. + This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. The default value of the policy will be Unconfigured. @@ -329,7 +331,6 @@ If the policy value is either Unconfigured or Disabled, the print spooler won't If the policy value is Enabled, the print spooler will restrict local printing to USB devices in the Approved Device list. - @@ -353,6 +354,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -382,9 +384,9 @@ If you don't configure this policy setting: - Windows Vista client computers can point and print to any server. -- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. -- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. @@ -392,9 +394,9 @@ If you disable this policy setting: - Windows Vista client computers can create a printer connection to any server using Point and Print. -- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. -- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. @@ -436,6 +438,7 @@ Data type: String Value: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -465,9 +468,9 @@ If you don't configure this policy setting: - Windows Vista client computers can point and print to any server. -- Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers will show a warning and an elevated command prompt, when users create a printer connection to any server using Point and Print. -- Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers will show a warning and an elevated command prompt, when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. @@ -475,9 +478,9 @@ If you disable this policy setting: - Windows Vista client computers can create a printer connection to any server using Point and Print. -- Windows Vista computers won't show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +- Windows Vista computers won't show a warning or an elevated command prompt, when users create a printer connection to any server using Point and Print. -- Windows Vista computers won't show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +- Windows Vista computers won't show a warning or an elevated command prompt, when an existing printer connection driver needs to be updated. - Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. @@ -505,6 +508,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -524,11 +528,12 @@ ADMX Info: Determines whether the computer's shared printers can be published in Active Directory. -If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. +If you enable this setting or don't configure it, users can use the "List in directory" option in the Printer's Properties' on the Sharing tab, to publish shared printers in Active Directory. If you disable this setting, this computer's shared printers can't be published in Active Directory, and the "List in directory" option isn't available. -Note: This setting takes priority over the setting "Automatically publish new printers in the Active Directory". +> [!NOTE] +> This setting takes priority over the setting "Automatically publish new printers in the Active Directory". @@ -545,3 +550,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index 0bcba72d88..6f984cad6c 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -15,7 +15,6 @@ manager: dansimp # Policy CSP - Privacy -
    @@ -306,6 +305,7 @@ manager: dansimp |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -328,7 +328,6 @@ Allows or disallows the automatic acceptance of the pairing and privacy user con > [!NOTE] > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - Most restricted value is 0. @@ -352,6 +351,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -402,6 +402,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -419,7 +420,7 @@ The following list shows the supported values: -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. +Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation, and talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. Most restricted value is 0. @@ -452,6 +453,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -503,6 +505,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -523,7 +526,8 @@ The following list shows the supported values: Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. -Value type is integer. +Supported value type is integer. + - 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. - 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. @@ -560,6 +564,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -591,7 +596,7 @@ ADMX Info: The following list shows the supported values: -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled (not published to the cloud). - 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. @@ -608,6 +613,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -627,7 +633,6 @@ The following list shows the supported values: Specifies whether Windows apps can access account information. - Most restricted value is 2. @@ -661,6 +666,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -703,6 +709,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -745,6 +752,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -787,6 +795,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -809,7 +818,7 @@ ADMX Info: Specifies whether Windows apps can access the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background. -Value type is integer. +Supported value type is integer. @@ -842,6 +851,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -864,7 +874,7 @@ The following list shows the supported values: List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. -Value type is chr. +Supported value type is chr. @@ -892,6 +902,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -914,7 +925,7 @@ ADMX Info: List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the user's movements while the apps are running in the background. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. -Value type is chr. +Supported value type is chr. @@ -942,6 +953,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| @@ -965,7 +977,7 @@ ADMX Info: List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps. -Value type is chr. +Supported value type is chr. @@ -993,6 +1005,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1012,7 +1025,6 @@ ADMX Info: Specifies whether Windows apps can access the calendar. - Most restricted value is 2. @@ -1046,6 +1058,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1088,6 +1101,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1130,6 +1144,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1172,6 +1187,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1191,7 +1207,6 @@ ADMX Info: Specifies whether Windows apps can access call history. - Most restricted value is 2. @@ -1225,6 +1240,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1267,6 +1283,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1309,6 +1326,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1351,6 +1369,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1370,7 +1389,6 @@ ADMX Info: Specifies whether Windows apps can access the camera. - Most restricted value is 2. @@ -1404,6 +1422,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1446,6 +1465,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1488,6 +1508,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1530,6 +1551,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1549,7 +1571,6 @@ ADMX Info: Specifies whether Windows apps can access contacts. - Most restricted value is 2. @@ -1583,6 +1604,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1625,6 +1647,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1667,6 +1690,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1709,6 +1733,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1728,7 +1753,6 @@ ADMX Info: Specifies whether Windows apps can access email. - Most restricted value is 2. @@ -1762,6 +1786,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1804,6 +1829,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1846,6 +1872,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1888,6 +1915,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1921,6 +1949,7 @@ This policy setting specifies whether Windows apps can access the eye tracker. |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1954,6 +1983,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1987,6 +2017,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2020,6 +2051,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2039,7 +2071,6 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use Specifies whether Windows apps can access location. - Most restricted value is 2. @@ -2073,6 +2104,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2115,6 +2147,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2157,6 +2190,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2199,6 +2233,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2218,7 +2253,6 @@ ADMX Info: Specifies whether Windows apps can read or send messages (text or MMS). - Most restricted value is 2. @@ -2252,6 +2286,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2294,6 +2329,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2336,6 +2372,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2378,6 +2415,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2397,7 +2435,6 @@ ADMX Info: Specifies whether Windows apps can access the microphone. - Most restricted value is 2. @@ -2431,6 +2468,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2473,6 +2511,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2515,6 +2554,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2557,6 +2597,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2576,7 +2617,6 @@ ADMX Info: Specifies whether Windows apps can access motion data. - Most restricted value is 2. @@ -2610,6 +2650,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2652,6 +2693,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2694,6 +2736,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2736,6 +2779,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2755,7 +2799,6 @@ ADMX Info: Specifies whether Windows apps can access notifications. - Most restricted value is 2. @@ -2789,6 +2832,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2831,6 +2875,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2873,6 +2918,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2915,6 +2961,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2934,7 +2981,6 @@ ADMX Info: Specifies whether Windows apps can make phone calls. - Most restricted value is 2. @@ -2968,6 +3014,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3010,6 +3057,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3052,6 +3100,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3094,6 +3143,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3113,7 +3163,6 @@ ADMX Info: Specifies whether Windows apps have access to control radios. - Most restricted value is 2. @@ -3147,6 +3196,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3189,6 +3239,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3231,6 +3282,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3273,6 +3325,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3315,6 +3368,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3357,6 +3411,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3399,6 +3454,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3441,6 +3497,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3460,7 +3517,6 @@ ADMX Info: Specifies whether Windows apps can access trusted devices. - Most restricted value is 2. @@ -3494,6 +3550,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3536,6 +3593,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3578,6 +3636,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3620,6 +3679,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3670,6 +3730,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3720,6 +3781,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3739,7 +3801,6 @@ The following list shows the supported values: Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - Most restricted value is 2. @@ -3773,6 +3834,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3815,6 +3877,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3857,6 +3920,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3899,6 +3963,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3918,8 +3983,8 @@ ADMX Info: Specifies whether Windows apps can run in the background. - Most restricted value is 2. + > [!WARNING] > Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. @@ -3954,6 +4019,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3996,6 +4062,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4013,7 +4080,7 @@ ADMX Info: -List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. +List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability, to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. @@ -4038,6 +4105,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4080,6 +4148,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4099,7 +4168,6 @@ ADMX Info: Specifies whether Windows apps can sync with devices. - Most restricted value is 2. @@ -4133,6 +4201,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4175,6 +4244,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4217,6 +4287,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4259,6 +4330,7 @@ ADMX Info: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4276,7 +4348,7 @@ ADMX Info: -Allows It Admins to enable publishing of user activities to the activity feed. +Allows IT Admins to enable publishing of user activities to the activity feed. @@ -4307,6 +4379,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -4340,3 +4413,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remoteassistance.md b/windows/client-management/mdm/policy-csp-remoteassistance.md index 64c53af12c..0faafb160a 100644 --- a/windows/client-management/mdm/policy-csp-remoteassistance.md +++ b/windows/client-management/mdm/policy-csp-remoteassistance.md @@ -52,6 +52,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,9 +72,9 @@ manager: dansimp This policy setting lets you customize warning messages. -The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before users share control of their computers. +The "Display warning message before sharing control" policy setting allows you to specify a custom message, to display before users share control of their computers. -The "Display warning message before connecting" policy setting allows you to specify a custom message to display before users allow a connection to their computers. +The "Display warning message before connecting" policy setting allows you to specify a custom message, to display before users allow a connection to their computers. If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. @@ -104,6 +105,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -152,6 +154,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -181,7 +184,7 @@ If you enable this policy setting, you have two ways to allow helpers to provide The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. -The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista since SMAPI is the only method supported. +The "Select the method for sending email invitations" setting specifies which email standard to use, to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting isn't available in Windows Vista, since SMAPI is the only method supported. If you enable this policy setting, you should also enable appropriate firewall exceptions to allow Remote Assistance communications. @@ -208,6 +211,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -246,23 +250,24 @@ If you enable this policy setting, you should also enable firewall exceptions to Windows Vista and later Enable the Remote Assistance exception for the domain profile. The exception must contain: -Port 135:TCP -%WINDIR%\System32\msra.exe -%WINDIR%\System32\raserver.exe + +- Port 135:TCP +- %WINDIR%\System32\msra.exe +- %WINDIR%\System32\raserver.exe Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -%WINDIR%\System32\Sessmgr.exe +- Port 135:TCP +- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +- %WINDIR%\System32\Sessmgr.exe For computers running Windows Server 2003 with Service Pack 1 (SP1) -Port 135:TCP -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe -%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe -Allow Remote Desktop Exception +- Port 135:TCP +- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +- %WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +- Allow Remote Desktop Exception @@ -278,3 +283,7 @@ ADMX Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md index 7d2559655b..077e297205 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktop.md +++ b/windows/client-management/mdm/policy-csp-remotedesktop.md @@ -41,6 +41,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -59,7 +60,7 @@ manager: dansimp -This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to silently subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. +This policy allows administrators to enable automatic subscription for the Microsoft Remote Desktop client. If you define this policy, the specified URL is used by the client to subscribe the logged on user and retrieve the remote resources assigned to them. To automatically subscribe to Azure Virtual Desktop in the Azure Public cloud, set the URL to `https://rdweb.wvd.microsoft.com/api/arm/feeddiscovery`. @@ -76,6 +77,7 @@ This policy allows administrators to enable automatic subscription for the Micro |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -93,7 +95,7 @@ This policy allows administrators to enable automatic subscription for the Micro -This policy allows the user to load the DPAPI cred key from their user profile and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs. +This policy allows the user to load the DPAPI cred key from their user profile, and decrypt any previously encrypted DPAPI data in the user profile or encrypt any new DPAPI data. This policy is needed when using FSLogix user profiles from Azure AD-joined VMs. @@ -111,3 +113,7 @@ The following list shows the supported values: + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 6519b2d40c..bc4a782639 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - RemoteDesktopServices - -
    @@ -43,11 +41,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -60,6 +58,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -85,7 +84,8 @@ If you disable this policy setting, users can't connect remotely to the target c If you don't configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections aren't allowed. -Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. +> [!NOTE] +> You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. @@ -112,6 +112,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -129,7 +130,7 @@ ADMX Info: -Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. +Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption. If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: @@ -141,9 +142,8 @@ If you enable this policy setting, all communications between clients and RD Ses If you disable or don't configure this setting, the encryption level to be used for remote connections to RD Session Host servers isn't enforced through Group Policy. -Important - -FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. +> [!IMPORTANT] +> FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level, when communications between clients and RD Session Host servers requires the highest level of encryption. @@ -168,6 +168,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -218,6 +219,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -264,6 +266,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -316,6 +319,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -343,7 +347,8 @@ If the status is set to Disabled, Remote Desktop Services always requests securi If the status is set to Not Configured, unsecured communication is allowed. -Note: The RPC interface is used for administering and configuring Remote Desktop Services. +> [!NOTE] +> The RPC interface is used for administering and configuring Remote Desktop Services. @@ -360,3 +365,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index a0059027d9..82936149da 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - RemoteManagement - -
    @@ -70,11 +68,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -87,6 +85,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -133,6 +132,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -179,6 +179,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -225,6 +226,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -271,6 +273,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -330,6 +333,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -376,6 +380,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -422,6 +427,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -468,6 +474,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -514,6 +521,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -560,6 +568,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -579,7 +588,7 @@ ADMX Info: This policy setting allows you to manage whether the Windows Remote Management (WinRM) service won't allow RunAs credentials to be stored for any plug-ins. -If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. +If you enable this policy setting, the WinRM service won't allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. If you disable or don't configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. @@ -608,6 +617,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -660,6 +670,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -677,9 +688,9 @@ ADMX Info: -This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. +This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. -If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host. +If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsList to determine, if the destination host is a trusted entity. The WinRM client uses this list when HTTPS or Kerberos is used to authenticate the identity of the host. If you disable or don't configure this policy setting and the WinRM client needs to use the list of trusted hosts, you must configure the list of trusted hosts locally on each computer. @@ -706,6 +717,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -756,6 +768,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -798,3 +811,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md index c2235cdbb4..29a499d619 100644 --- a/windows/client-management/mdm/policy-csp-remoteprocedurecall.md +++ b/windows/client-management/mdm/policy-csp-remoteprocedurecall.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - RemoteProcedureCall -
    @@ -30,11 +29,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -47,6 +46,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -64,15 +64,16 @@ manager: dansimp -This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service, when the call they're making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) can't process authentication information supplied in this manner. If you disable this policy setting, RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. -If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls won't be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. +If you don't configure this policy setting, it remains disabled. RPC clients won't authenticate to the Endpoint Mapper Service, but they'll be able to communicate with the Windows NT4 Server Endpoint Mapper Service. -Note: This policy won't be applied until the system is rebooted. +> [!NOTE] +> This policy won't be applied until the system is rebooted. @@ -97,6 +98,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -114,13 +116,13 @@ ADMX Info: -This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. +This policy setting controls, how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. -This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. +This policy setting impacts all RPC applications. In a domain environment, this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. -If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. +If you don't configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client, and the value of "None" used for Server SKUs that support this policy setting. If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. @@ -128,7 +130,7 @@ If you enable this policy setting, it directs the RPC server runtime to restrict - "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. +- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. > [!NOTE] > This policy setting won't be applied until the system is rebooted. @@ -148,3 +150,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-remoteshell.md b/windows/client-management/mdm/policy-csp-remoteshell.md index 25abffed2e..9596508d36 100644 --- a/windows/client-management/mdm/policy-csp-remoteshell.md +++ b/windows/client-management/mdm/policy-csp-remoteshell.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - RemoteShell -
    @@ -45,11 +44,11 @@ manager: dansimp > [!TIP] -> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
    @@ -62,6 +61,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -108,6 +108,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -127,7 +128,7 @@ ADMX Info: This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system. -The value can be any number from 1 to 100. +The value can be any number from 1 to 100. If you enable this policy setting, the new shell connections are rejected if they exceed the specified limit. @@ -156,6 +157,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -173,7 +175,7 @@ ADMX Info: -This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted. +This policy setting configures the maximum time in milliseconds, and remote shell will stay open without any user activity until it is automatically deleted. Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values. @@ -204,6 +206,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -252,6 +255,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -273,7 +277,7 @@ This policy setting configures the maximum number of processes a remote shell is If you enable this policy setting, you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) means unlimited number of processes. -If you disable or do not configure this policy setting, the limit is five processes per shell. +If you disable or do not configure this policy setting, the limit is five processes per shell. @@ -298,6 +302,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -315,7 +320,7 @@ ADMX Info: -This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system. +This policy setting configures the maximum number of concurrent shells and any user can remotely open on the same system. Any number from 0 to 0x7FFFFFFF can be set, where 0 means unlimited number of shells. @@ -346,6 +351,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -380,3 +386,6 @@ ADMX Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 4c77b145dc..c72678c913 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -15,7 +15,7 @@ manager: dansimp # Policy CSP - RestrictedGroups > [!IMPORTANT] -> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +> Starting from Windows 10, version 20H2, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy, to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results.
    @@ -41,6 +41,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -60,7 +61,7 @@ manager: dansimp This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership. -For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed. +For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed. > [!CAUTION] > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error: @@ -69,7 +70,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------| > | 0x55b (Hex)
    1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution. ```xml @@ -152,7 +153,7 @@ The following table describes how this policy setting behaves in different Windo | ------------------ | --------------- | |Windows 10, version 1803 | Added this policy setting.
    XML accepts group and member only by name.
    Supports configuring the administrators group using the group name.
    Expects member name to be in the account name format. | | Windows 10, version 1809
    Windows 10, version 1903
    Windows 10, version 1909 | Supports configuring any local group.
    `` accepts only name.
    `` accepts a name or an SID.
    This is useful when you want to ensure a certain local group always has a well-known SID as member. | -| Windows 10, version 2004 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate. | +| Windows 10, version 2004 | Behaves as described in this topic.
    Accepts name or SID for group and members and translates as appropriate.| @@ -160,3 +161,7 @@ The following table describes how this policy setting behaves in different Windo
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index b56f078278..587c5e393d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -80,6 +80,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -97,7 +98,7 @@ manager: dansimp -Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. +Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources. @@ -129,6 +130,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -177,6 +179,7 @@ This value is a simple boolean value, default false, that can be set by MDM poli |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -231,6 +234,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -250,9 +254,9 @@ The following list shows the supported values: Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. -When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. +When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes file path and date modified. -When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are many WIP-protected media files on the device. +When the policy is disabled, the WIP protected items aren't indexed and don't show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps, if there are many WIP-protected media files on the device. Most restricted value is 0. @@ -285,6 +289,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -335,6 +340,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -357,7 +363,6 @@ This policy controls whether search highlights are shown in the search box or in - If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home. - If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. - ADMX Info: @@ -369,11 +374,13 @@ ADMX Info: The following list shows the supported values in Windows 10: -- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. + +- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. - Disabled – Disabling this setting turns off search highlights in the taskbar search box and in search home. The following list shows the supported values in Windows 11: + - Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. - Disabled – Disabling this setting turns off search highlights in the start menu search box and in search home. @@ -403,6 +410,7 @@ This policy has been deprecated. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -422,7 +430,6 @@ This policy has been deprecated. Allows the use of diacritics. - Most restricted value is 0. @@ -454,6 +461,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -471,7 +479,7 @@ The following list shows the supported values: -Allow Windows indexer. Value type is integer. +Allow Windows indexer. Supported value type is integer. @@ -487,6 +495,7 @@ Allow Windows indexer. Value type is integer. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -506,7 +515,6 @@ Allow Windows indexer. Value type is integer. Specifies whether to always use automatic language detection when indexing content and properties. - Most restricted value is 0. @@ -538,6 +546,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -586,6 +595,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -638,6 +648,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -659,9 +670,9 @@ Don't search the web or display web results in Search, or show search highlights This policy setting allows you to control whether or not Search can perform queries on the web, if web results are displayed in Search, and if search highlights are shown in the search box and in search home. -- If you enable this policy setting, queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. +- If you enable this policy setting, queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. -- If you disable this policy setting, queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. +- If you disable this policy setting, queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. @@ -675,8 +686,8 @@ ADMX Info: The following list shows the supported values: -- 0 - Not allowed. Queries won't be performed on the web, web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. -- 1 (default) - Allowed. Queries will be performed on the web, web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. +- 0 - Not allowed. Queries won't be performed on the web. Web results won't be displayed when a user performs a query in Search, and search highlights won't be shown in the search box and in search home. +- 1 (default) - Allowed. Queries will be performed on the web. Web results will be displayed when a user performs a query in Search, and search highlights will be shown in the search box and in search home. @@ -692,6 +703,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -711,7 +723,7 @@ The following list shows the supported values: Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1. -Enable this policy if computers in your environment have limited hard drive space. +Enable this policy, if computers in your environment have limited hard drive space. When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. @@ -744,6 +756,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -786,3 +799,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index dcf870fbf8..7399515109 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Security -
    @@ -53,7 +52,6 @@ manager: dansimp -
    @@ -65,6 +63,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -127,6 +126,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -167,6 +167,7 @@ The following list shows the supported values: |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -185,7 +186,7 @@ The following list shows the supported values: -Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. +Admin access is required. The prompt will appear on first admin logon after a reboot, when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. @@ -200,7 +201,7 @@ ADMX Info: The following list shows the supported values: - 0 (default) – Won't force recovery from a non-ready TPM state. -- 1 – Will prompt to clear the TPM if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. +- 1 – Will prompt to clear the TPM, if the TPM is in a non-ready state (or reduced functionality) which can be remediated with a TPM Clear. @@ -216,6 +217,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -242,9 +244,9 @@ Configures the use of passwords for Windows features. The following list shows the supported values: -- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features) -- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features) -- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords") +- 0 -Disallow passwords (Asymmetric credentials will be promoted to replace passwords on Windows features). +- 1- Allow passwords (Passwords continue to be allowed to be used for Windows features). +- 2- Default (Feature defaults as per SKU and device capabilities. Windows 10 S devices will exhibit "Disallow passwords" default, and all other devices will default to "Allow passwords"). @@ -260,6 +262,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -303,6 +306,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -324,9 +328,10 @@ The following list shows the supported values: This policy controls the Admin Authentication requirement in RecoveryEnvironment. Supported values: -- 0 - Default: Keep using default(current) behavior -- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment -- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment + +- 0 - Default: Keep using default(current) behavior. +- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment. +- 2 - NoRequireAuthentication: Admin Authentication isn't required for components in RecoveryEnvironment. @@ -374,6 +379,7 @@ If the MDM policy is set to "NoRequireAuthentication" (2) |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -393,7 +399,6 @@ If the MDM policy is set to "NoRequireAuthentication" (2) Allows enterprise to turn on internal storage encryption. - Most restricted value is 1. > [!IMPORTANT] @@ -420,6 +425,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -460,6 +466,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -477,8 +484,7 @@ The following list shows the supported values: -Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. - +Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS), when a device boots or reboots. Setting this policy to 1 (Required): @@ -488,7 +494,6 @@ Setting this policy to 1 (Required): > [!NOTE] > We recommend that this policy is set to Required after MDM enrollment. - Most restricted value is 1. @@ -504,3 +509,7 @@ The following list shows the supported values: + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md index 118dd3a3a7..55e1034d36 100644 --- a/windows/client-management/mdm/policy-csp-servicecontrolmanager.md +++ b/windows/client-management/mdm/policy-csp-servicecontrolmanager.md @@ -12,8 +12,6 @@ ms.date: 09/27/2019 # Policy CSP - ServiceControlManager - -
    @@ -25,7 +23,6 @@ ms.date: 09/27/2019 -
    @@ -37,6 +34,7 @@ ms.date: 09/27/2019 |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -67,11 +65,11 @@ If you disable or do not configure this policy setting, the stricter security se > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -96,3 +94,7 @@ Supported values:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 1b0e0f8bc4..1b3303cfb8 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -64,7 +64,6 @@ manager: dansimp -
    @@ -76,6 +75,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -120,6 +120,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -163,6 +164,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -249,7 +251,7 @@ This policy disables edit device name option on Settings. -Describes what values are supported in by this policy and meaning of each value, default value. +Describes what values are supported in/by this policy and meaning of each value, and default value. @@ -265,6 +267,7 @@ Describes what values are supported in by this policy and meaning of each value, |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -306,6 +309,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -350,6 +354,7 @@ ADMX Info: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -391,6 +396,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -432,6 +438,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -473,6 +480,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -513,6 +521,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -554,6 +563,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -594,6 +604,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -611,7 +622,7 @@ The following list shows the supported values: -Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. +Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. @@ -644,6 +655,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -664,21 +676,21 @@ The following list shows the supported values: Allows IT Admins to either: -- Prevent specific pages in the System Settings app from being visible or accessible +- Prevent specific pages in the System Settings app from being visible or accessible. OR -- To do so for all pages except the pages you enter +- To do so for all pages except the pages you enter. The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. -For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: `showonly:about;bluetooth` -If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list. +If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable, if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list. The format of the PageVisibilityList value is as follows: @@ -721,3 +733,6 @@ To validate on Desktop, use the following steps: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 5da64f872e..cb36588175 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -44,6 +44,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -95,6 +96,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -143,6 +145,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md index fe81410adf..f46af42add 100644 --- a/windows/client-management/mdm/policy-csp-speech.md +++ b/windows/client-management/mdm/policy-csp-speech.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Speech -
    @@ -26,7 +25,6 @@ manager: dansimp -
    @@ -38,6 +36,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -79,3 +78,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index f760f05bc0..3eacbd485d 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Start -
    @@ -119,18 +118,19 @@ manager: dansimp -
    **Start/AllowPinnedFolderDocuments** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -156,7 +156,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -167,11 +167,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderDownloads** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -197,7 +199,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -208,11 +210,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderFileExplorer** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -238,7 +242,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -249,11 +253,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderHomeGroup** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -279,7 +285,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -290,11 +296,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderMusic** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -320,7 +328,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -331,11 +339,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderNetwork** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -361,7 +371,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -372,11 +382,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderPersonalFolder** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -402,7 +414,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -413,11 +425,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderPictures** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -443,7 +457,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -454,11 +468,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderSettings** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -484,7 +500,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -495,11 +511,13 @@ The following list shows the supported values: **Start/AllowPinnedFolderVideos** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -525,7 +543,7 @@ The following list shows the supported values: - 0 – The shortcut is hidden and disables the setting in the Settings app. - 1 – The shortcut is visible and disables the setting in the Settings app. -- 65535 (default) - there's no enforced configuration and the setting can be changed by the user. +- 65535 (default) - There's no enforced configuration, and the setting can be changed by the user. @@ -597,11 +615,13 @@ This string policy will take a JSON file (expected name LayoutModification.json) **Start/DisableContextMenus** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -652,11 +672,13 @@ The following list shows the supported values: **Start/ForceStartSize** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -678,7 +700,6 @@ The following list shows the supported values: Forces the start screen size. - If there's policy configuration conflict, the latest configuration request is applied to the device. @@ -698,11 +719,13 @@ The following list shows the supported values: **Start/HideAppList** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -729,10 +752,9 @@ Allows IT Admins to configure Start by collapsing or removing the all apps list. > [!Note] > There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - To validate on Desktop, do the following steps: -- 1 - Enable policy and restart explorer.exe +- 1 - Enable policy and restart explorer.exe. - 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle isn't grayed out. - 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. - 2c - If set to '3': Verify that there's no way of opening the all apps list from Start, and that the Settings toggle is grayed out. @@ -755,11 +777,13 @@ The following list shows the supported values: **Start/HideChangeAccountSettings** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -802,11 +826,13 @@ To validate on Desktop, do the following steps: **Start/HideFrequentlyUsedApps** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -844,8 +870,8 @@ To validate on Desktop, do the following steps: 1. Enable "Show most used apps" in the Settings app. 2. Use some apps to get them into the most used group in Start. 3. Enable policy. -4. Restart explorer.exe -5. Check that "Show most used apps" Settings toggle is grayed out. +4. Restart explorer.exe. +5. Check that "Show most used apps" Settings toggle is grayed out. 6. Check that most used apps don't appear in Start. @@ -857,11 +883,13 @@ To validate on Desktop, do the following steps: **Start/HideHibernate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -881,7 +909,6 @@ To validate on Desktop, do the following steps: Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. - > [!NOTE] > This policy can only be verified on laptops as "Hibernate" doesn't appear on regular PC's. @@ -908,11 +935,13 @@ To validate on Laptop, do the following steps: **Start/HideLock** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -955,11 +984,13 @@ To validate on Desktop, do the following steps: **Start/HidePeopleBar** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -979,7 +1010,7 @@ To validate on Desktop, do the following steps: Enabling this policy removes the people icon from the taskbar and the corresponding settings toggle. It also prevents users from pinning people to the taskbar. -Value type is integer. +Supported value type is integer. @@ -1005,11 +1036,13 @@ The following list shows the supported values: **Start/HidePowerButton** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1055,11 +1088,13 @@ To validate on Desktop, do the following steps: **Start/HideRecentJumplists** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1098,7 +1133,7 @@ To validate on Desktop, do the following steps: 3. Right click the pinned photos app and verify that a jump list of recently opened items pops up. 4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. 5. Enable policy. -6. Restart explorer.exe +6. Restart explorer.exe. 7. Check that Settings toggle is grayed out. 8. Repeat Step 2. 9. Right Click pinned photos app and verify that there's no jump list of recent items. @@ -1112,11 +1147,13 @@ To validate on Desktop, do the following steps: **Start/HideRecentlyAddedApps** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1162,7 +1199,7 @@ To validate on Desktop, do the following steps: 1. Enable "Show recently added apps" in the Settings app. 2. Check if there are recently added apps in Start (if not, install some). 3. Enable policy. -4. Restart explorer.exe +4. Restart explorer.exe. 5. Check that "Show recently added apps" Settings toggle is grayed out. 6. Check that recently added apps don't appear in Start. @@ -1175,11 +1212,13 @@ To validate on Desktop, do the following steps: **Start/HideRestart** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1222,11 +1261,13 @@ To validate on Desktop, do the following steps: **Start/HideShutDown** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1269,11 +1310,13 @@ To validate on Desktop, do the following steps: **Start/HideSignOut** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1316,11 +1359,13 @@ To validate on Desktop, do the following steps: **Start/HideSleep** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1363,11 +1408,13 @@ To validate on Desktop, do the following steps: **Start/HideSwitchAccount** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1410,11 +1457,13 @@ To validate on Desktop, do the following steps: **Start/HideUserTile** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1461,11 +1510,13 @@ To validate on Desktop, do the following steps: **Start/ImportEdgeAssets** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1497,16 +1548,16 @@ Here's more SKU support information: This policy imports Edge assets (for example, .png/.jpg files) for secondary tiles into its local app data path, which allows the StartLayout policy to pin Edge secondary tiles as weblink that ties to the image asset files. > [!IMPORTANT] -> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. +> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy, whenever there are Edge secondary tiles to be pinned from StartLayout policy. -The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). +The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). To validate on Desktop, do the following steps: 1. Set policy with an XML for Edge assets. -2. Set StartLayout policy to anything so that it would trigger the Edge assets import. +2. Set StartLayout policy to anything so that would trigger the Edge assets import. 3. Sign out/in. 4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. @@ -1519,11 +1570,13 @@ To validate on Desktop, do the following steps: **Start/NoPinningToTaskbar** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1541,7 +1594,7 @@ To validate on Desktop, do the following steps: -Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. +Allows IT Admins to configure the taskbar by disabling, pinning, and unpinning apps on the taskbar. @@ -1565,7 +1618,6 @@ To validate on Desktop, do the following steps:
    - **Start/ShowOrHideMostUsedApps** @@ -1622,9 +1674,9 @@ To validate on Desktop, do the following steps: The following list shows the supported values: -- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings -- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings -- Not set - User can use Settings to hide or show Most Used Apps in Start Menu +- 1 - Force showing of Most Used Apps in Start Menu, user can't change in Settings. +- 0 - Force hiding of Most Used Apps in Start Menu, user can't change in Settings. +- Not set - User can use Settings to hide or show Most Used Apps in Start Menu. On clean install, the user setting defaults to "hide". @@ -1638,11 +1690,13 @@ On clean install, the user setting defaults to "hide". **Start/StartLayout** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -1672,7 +1726,7 @@ Here's more SKU support information: |Windows 10, version 1607 and later |Enterprise, Education, Business | |Windows 10, version 1709 and later |Enterprise, Education, Business, Pro, ProEducation, S, ProWorkstation | -Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy +Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy. For more information on how to customize the Start layout, see [Customize and export Start layout](/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](/windows/configuration/configure-windows-10-taskbar). @@ -1689,3 +1743,7 @@ ADMX Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 383f6aedfb..a9e43b4855 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Storage -
    @@ -65,18 +64,19 @@ manager: dansimp -
    **Storage/AllowDiskHealthModelUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,7 +96,7 @@ manager: dansimp Allows disk health model updates. -Value type is integer. +Supported value type is integer. @@ -122,16 +122,19 @@ The following list shows the supported values: **Storage/AllowStorageSenseGlobal** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -146,7 +149,7 @@ Note: Versions prior to version 1903 don't support group policy. -Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. +Storage Sense can automatically clean some of the user’s files to free up disk space. By default, Storage Sense is automatically turned on when the machine runs into low disk space, and it is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the Storage/ConfigStorageSenseGlobalCadence group policy. If you enable this policy setting without setting a cadence, Storage Sense is turned on for the machine with the default cadence of "during low free disk space." Users can't disable Storage Sense, but they can adjust the cadence (unless you also configure the Storage/ConfigStorageSenseGlobalCadence group policy). @@ -179,16 +182,19 @@ ADMX Info: **Storage/AllowStorageSenseTemporaryFilesCleanup** +Versions prior to version 1903 don't support group policy. |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -239,16 +245,19 @@ ADMX Info: **Storage/ConfigStorageSenseCloudContentDehydrationThreshold** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -299,16 +308,19 @@ ADMX Info: **Storage/ConfigStorageSenseDownloadsCleanupThreshold** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -359,16 +371,19 @@ ADMX Info: **Storage/ConfigStorageSenseGlobalCadence** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -425,16 +440,19 @@ ADMX Info: **Storage/ConfigStorageSenseRecycleBinCleanupThreshold** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home||| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to version 1903 don't support group policy. +> [!NOTE] +> Versions prior to version 1903 don't support group policy.
    @@ -485,11 +503,13 @@ ADMX Info: **Storage/EnhancedStorageDevices** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -509,17 +529,17 @@ ADMX Info: This policy setting configures whether or not Windows will activate an Enhanced Storage device. -If you enable this policy setting, Windows won't activate unactivated Enhanced Storage devices. +If you enable this policy setting, Windows won't activate un-activated Enhanced Storage devices. -If you disable or don't configure this policy setting, Windows will activate unactivated Enhanced Storage devices. +If you disable or don't configure this policy setting, Windows will activate un-activated Enhanced Storage devices. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -537,11 +557,13 @@ ADMX Info: **Storage/RemovableDiskDenyWriteAccess** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -564,7 +586,7 @@ If you enable this policy setting, write access is denied to this removable stor > [!Note] > To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." -Supported values: +Supported values for this policy are: - 0 - Disable - 1 - Enable @@ -597,11 +619,13 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin **Storage/WPDDevicesDenyReadAccessPerDevice** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -621,16 +645,16 @@ See [Use custom settings for Windows 10 devices in Intune](/intune/custom-settin This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth -- Mass Storage Class (MSC) over USB +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, for example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. Supported values for this policy are: - Not configured @@ -659,11 +683,13 @@ ADMX Info: **Storage/WPDDevicesDenyReadAccessPerUser** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -683,16 +709,16 @@ ADMX Info: This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth -- Mass Storage Class (MSC) over USB +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). If enabled, this policy will block end-user from Read access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. Supported values for this policy are: - Not configured @@ -721,11 +747,13 @@ ADMX Info: **Storage/WPDDevicesDenyWriteAccessPerDevice** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -745,16 +773,16 @@ ADMX Info: This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth -- Mass Storage Class (MSC) over USB +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. Supported values for this policy are: - Not configured @@ -783,11 +811,13 @@ ADMX Info: **Storage/WPDDevicesDenyWriteAccessPerUser** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -807,16 +837,16 @@ ADMX Info: This policy will do the enforcement over the following protocols that are used by most portable devices, for example, mobile/IOS/Android: -- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth -- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth -- Mass Storage Class (MSC) over USB +- Picture Transfer Protocol (PTP) over USB, IP, and Bluetooth. +- Media Transfer Protocol (MTP) over USB, IP, and Bluetooth. +- Mass Storage Class (MSC) over USB. To enable this policy, the minimum OS requirement is Windows 10, version 1809 and [KB5003217 (OS Build 17763.1971)](https://support.microsoft.com/en-us/topic/may-20-2021-kb5003217-os-build-17763-1971-preview-08687c95-0740-421b-a205-54aa2c716b46). If enabled, this policy will block end-user from Write access on any Windows Portal devices, for example, mobile/iOS/Android. >[!NOTE] -> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage, e.g. if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browser the USB via explorer. +> WPD policy is not a reliable policy for removable storage - admin can not use WPD policy to block removable storage. For example, if an end-user is using an USB thumb drive under a WPD policy, the policy may block PTP/MTP/etc, but end-user can still browse the USB via explorer. Supported values for this policy are: - Not configured @@ -846,16 +876,19 @@ ADMX Info: **StorageHealthMonitor/DisableStorageHealthMonitor** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| -Note: Versions prior to 21H2 will not support this policy +> [!NOTE] +> Versions prior to 21H2 will not support this policy
    @@ -872,15 +905,15 @@ Note: Versions prior to 21H2 will not support this policy Allows disable of Storage Health Monitor. -Value type is integer. +Supported value type is integer. The following list shows the supported values: -- 0 - Storage Health Monitor is Enabled -- 1 - Storage Health Monitor is Disabled +- 0 - Storage Health Monitor is Enabled. +- 1 - Storage Health Monitor is Disabled. @@ -889,3 +922,7 @@ The following list shows the supported values: + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index a2830db2e2..eddad6eb01 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - System - -
    @@ -118,11 +116,13 @@ manager: dansimp **System/AllowBuildPreview** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -171,11 +171,13 @@ The following list shows the supported values: **System/AllowCommercialDataPipeline** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -192,12 +194,12 @@ The following list shows the supported values: -This policy setting configures an Azure Active Directory joined device so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). +This policy setting configures an Azure Active Directory joined device, so that Microsoft is the processor of the Windows diagnostic data collected from the device, subject to the [Product Terms](https://www.microsoft.com/licensing/terms/productoffering). To enable this behavior, you must complete two steps: - 1. Enable this policy setting - 2. Join an Azure Active Directory account to the device + 1. Enable this policy setting. + 2. Join an Azure Active Directory account to the device. Windows diagnostic data is collected when the Allow Telemetry policy setting is set to 1 – **Required (Basic)** or above. @@ -244,11 +246,11 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: - 1. Enable this policy setting - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above - 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace + 1. Enable this policy setting. + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. + 3. Set the Configure the Commercial ID setting for your Desktop Analytics workspace. -This setting has no effect on devices unless they're properly enrolled in Desktop Analytics. +This setting has no effect on devices, unless they're properly enrolled in Desktop Analytics. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -268,11 +270,13 @@ The following list shows the supported values: **System/AllowDeviceNameInDiagnosticData** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -289,7 +293,7 @@ The following list shows the supported values: -This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or don't configure this policy setting, then device name won't be sent to Microsoft as part of Windows diagnostic data. @@ -322,11 +326,13 @@ The following list shows the supported values: **System/AllowEmbeddedMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -363,11 +369,13 @@ The following list shows the supported values: **System/AllowExperimentation** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -389,7 +397,6 @@ The following list shows the supported values: This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - Most restricted value is 0. @@ -409,11 +416,13 @@ The following list shows the supported values: **System/AllowFontProviders** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -451,8 +460,8 @@ ADMX Info: The following list shows the supported values: -- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. +- 0 - false - No traffic to fs.microsoft.com, and only locally installed fonts are available. +- 1 - true (default) - There may be network traffic to fs.microsoft.com, and downloadable fonts are available to apps that support them. @@ -469,11 +478,13 @@ To verify if System/AllowFontProviders is set to true: **System/AllowLocation** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -492,7 +503,6 @@ To verify if System/AllowFontProviders is set to true: Specifies whether to allow app access to the Location service. - Most restricted value is 0. While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. @@ -531,7 +541,7 @@ This policy setting configures an Azure Active Directory joined device so that M For customers who enroll into the Microsoft Managed Desktop service, this policy will be enabled by default to allow Microsoft to process data for operational and analytic needs. For more information, see [Privacy and personal data](/microsoft-365/managed-desktop/service-description/privacy-personal-data). -This setting has no effect on devices unless they're properly enrolled in Microsoft Managed Desktop. +This setting has no effect on devices, unless they're properly enrolled in Microsoft Managed Desktop. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -546,11 +556,13 @@ If you disable this policy setting, devices may not appear in Microsoft Managed **System/AllowStorageCard** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -575,7 +587,7 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card. +- 0 – SD card use isn't allowed, and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card. - 1 (default) – Allow a storage card. @@ -587,11 +599,13 @@ The following list shows the supported values: **System/AllowTelemetry** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -618,7 +632,6 @@ The following list shows the supported values for Windows 8.1: - 1 – Allowed, except for Secondary Data Requests. - 2 (default) – Allowed. - In Windows 10, you can configure this policy setting to decide what level of diagnostic data to send to Microsoft. The following list shows the supported values for Windows 10 version 1809 and older, choose the value that is applicable to your OS version (older OS values are displayed in the brackets): @@ -657,11 +670,13 @@ ADMX Info: **System/AllowUpdateComplianceProcessing** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -683,9 +698,9 @@ This policy setting, in combination with the Allow Telemetry and Configure the C To enable this behavior, you must complete three steps: - 1. Enable this policy setting - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above - 3. Set the Configure the Commercial ID setting for your Update Compliance workspace + 1. Enable this policy setting. + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. + 3. Set the Configure the Commercial ID setting for your Update Compliance workspace. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -716,11 +731,13 @@ The following list shows the supported values: **System/AllowUserToResetPhone** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -765,9 +782,9 @@ This policy setting configures an Azure Active Directory joined device so that M To enable this behavior, you must complete three steps: - 1. Enable this policy setting - 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above - 3. Join an Azure Active Directory account to the device + 1. Enable this policy setting. + 2. Set **AllowTelemetry** to 1 – **Required (Basic)** or above. + 3. Join an Azure Active Directory account to the device. When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments. @@ -788,11 +805,13 @@ The following list shows the supported values: **System/BootStartDriverInitialization** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -815,19 +834,19 @@ This policy setting allows you to specify which boot-start drivers are initializ - Bad, but required for boot: The driver has been identified as malware, but the computer can't successfully boot without loading this driver. - Unknown: This driver hasn't been attested to by your malware detection application and hasn't been classified by the Early Launch Antimalware boot-start driver. -If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize the next time the computer is started. +If you enable this policy setting, you'll be able to choose which boot-start drivers to initialize next time the computer is started. -If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. +If you disable or don't configure this policy setting, the boot start drivers determined to be Good, Unknown, or Bad, but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. If your malware detection application doesn't include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -845,11 +864,13 @@ ADMX Info: **System/ConfigureMicrosoft365UploadEndpoint** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -872,7 +893,7 @@ If your organization is participating in the program and has been instructed to The value for this setting will be provided by Microsoft as part of the onboarding process for the program. -Value type is string. +Supported value type is string. ADMX Info: @@ -900,11 +921,13 @@ ADMX Info: **System/ConfigureTelemetryOptInChangeNotification** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -922,8 +945,9 @@ ADMX Info: This policy setting determines whether a device shows notifications about telemetry levels to people on first sign in or when changes occur in Settings.  -If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings. + +- If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +- If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first sign in and when changes occur in Settings. @@ -948,11 +972,13 @@ The following list shows the supported values: **System/ConfigureTelemetryOptInSettingsUx** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1001,11 +1027,13 @@ The following list shows the supported values: **System/DisableDeviceDelete** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1023,8 +1051,9 @@ The following list shows the supported values: This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. -If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + +- If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +- If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. @@ -1053,11 +1082,13 @@ ADMX Info: **System/DisableDiagnosticDataViewer** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1075,8 +1106,9 @@ ADMX Info: This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. -If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + +- If you enable this policy setting, the Diagnostic Data Viewer won't be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +- If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. @@ -1105,11 +1137,13 @@ ADMX Info: **System/DisableEnterpriseAuthProxy** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1126,7 +1160,7 @@ ADMX Info: -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy, to send data back to Microsoft on Windows 10. If you disable or don't configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy, to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. @@ -1146,11 +1180,13 @@ ADMX Info: **System/DisableOneDriveFileSync** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1209,11 +1245,13 @@ To validate on Desktop, do the following steps: **System/DisableSystemRestore** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1236,19 +1274,19 @@ This policy setting allows you to turn off System Restore. System Restore enables users, in case of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. +If you enable this policy setting, System Restore is turned off, then System Restore Wizard can't be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. -If you disable or don't configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. +If you disable or don't configure this policy setting, users can perform System Restore, and configure System Restore settings through System Protection. Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -1266,11 +1304,13 @@ ADMX Info: **System/FeedbackHubAlwaysSaveDiagnosticsLocally** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1305,11 +1345,13 @@ The following list shows the supported values: **System/LimitDiagnosticLogCollection** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1326,7 +1368,7 @@ The following list shows the supported values: -This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection. +This policy setting specifies whether diagnostic log data can be collected when more information is needed to troubleshoot a problem. It's sent only if we have permission to collect optional diagnostic data, and only if the device meets the criteria for more data collection. If you disable or don't configure this policy setting, we may occasionally collect advanced diagnostic data if the user has opted to send optional diagnostic data. @@ -1354,11 +1396,13 @@ The following list shows the supported values: **System/LimitDumpCollection** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1375,7 +1419,7 @@ The following list shows the supported values: -This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. +This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. These dumps aren't sent unless we have permission to collect optional diagnostic data. With this policy setting being enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps only. @@ -1404,11 +1448,13 @@ The following list shows the supported values: **System/LimitEnhancedDiagnosticDataWindowsAnalytics** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1438,9 +1484,8 @@ To enable this behavior, you must complete two steps: > [!NOTE] > **Enhanced** is no longer an option for Windows Holographic, version 21H1. - - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full) + - For Windows 10 version 19H1 and later: set **AllowTelemetry** to Optional (Full). - When you configure these policy settings, a basic level of diagnostic data plus other events that are required for Windows Analytics are sent to Microsoft. These events are documented here: Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics. Enabling enhanced diagnostic data in the Allow Telemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus enhanced level telemetry data. This setting has no effect on computers configured to send Required (Basic) or Optional (Full) diagnostic data to Microsoft. @@ -1465,11 +1510,13 @@ ADMX Info: **System/TelemetryProxy** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1508,11 +1555,13 @@ ADMX Info: **System/TurnOffFileHistory** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1560,3 +1609,7 @@ The following list shows the supported values:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md index c979583ff0..7ecb2141a8 100644 --- a/windows/client-management/mdm/policy-csp-systemservices.md +++ b/windows/client-management/mdm/policy-csp-systemservices.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - SystemServices - -
    @@ -49,11 +47,13 @@ manager: dansimp **SystemServices/ConfigureHomeGroupListenerServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -71,7 +71,9 @@ manager: dansimp -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -88,11 +90,13 @@ GP Info: **SystemServices/ConfigureHomeGroupProviderServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -110,7 +114,9 @@ GP Info: -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -127,11 +133,13 @@ GP Info: **SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -149,7 +157,9 @@ GP Info: -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -166,11 +176,13 @@ GP Info: **SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -188,7 +200,9 @@ GP Info: -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -205,11 +219,13 @@ GP Info: **SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,7 +243,9 @@ GP Info: -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -244,11 +262,13 @@ GP Info: **SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -266,7 +286,9 @@ GP Info: -This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual. +This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). + +Default: Manual. @@ -281,3 +303,6 @@ GP Info: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 1cae440c6c..123b672f38 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - TaskManager -
    @@ -26,18 +25,19 @@ manager: dansimp -
    **TaskManager/AllowEndTask** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -57,9 +57,11 @@ manager: dansimp This setting determines whether non-administrators can use Task Manager to end tasks. -Value type is integer. Supported values: +Supported value type is integer. + +Supported values: - 0 - Disabled. EndTask functionality is blocked in TaskManager. -- 1 - Enabled (default). Users can perform EndTask in TaskManager. +- 1 - Enabled (default). Users can perform EndTask in TaskManager. @@ -70,13 +72,15 @@ Value type is integer. Supported values: **Validation procedure:** -When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager -When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager +- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager. +- When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager.
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md index 983bd29762..841d5e8f3e 100644 --- a/windows/client-management/mdm/policy-csp-taskscheduler.md +++ b/windows/client-management/mdm/policy-csp-taskscheduler.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - TaskScheduler - -
    @@ -34,11 +32,13 @@ manager: dansimp **TaskScheduler/EnableXboxGameSaveTask** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -64,3 +64,6 @@ This setting determines whether the specific task is enabled (1) or disabled (0) +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index f65160e893..0d6692ed2c 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - TextInput - -
    @@ -137,11 +135,13 @@ Placeholder only. Do not use in production environment. **TextInput/AllowIMELogging** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -162,8 +162,7 @@ Placeholder only. Do not use in production environment. > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - -Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. +Allows the user to turn on and off the logging for incorrect conversion, and saving auto-tuning result to a file and history-based predictive input. Most restricted value is 0. @@ -171,8 +170,8 @@ Most restricted value is 0. The following list shows the supported values: -- 0 – Not allowed. -- 1 (default) – Allowed. +- 0 – Not allowed. +- 1 (default) – Allowed. @@ -183,11 +182,13 @@ The following list shows the supported values: **TextInput/AllowIMENetworkAccess** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,11 +228,13 @@ The following list shows the supported values: **TextInput/AllowInputPanel** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -252,7 +255,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the IT admin to disable the touch/handwriting keyboard on Windows. Most restricted value is 0. @@ -273,11 +275,13 @@ The following list shows the supported values: **TextInput/AllowJapaneseIMESurrogatePairCharacters** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -298,10 +302,8 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the Japanese IME surrogate pair characters. - Most restricted value is 0. @@ -320,11 +322,13 @@ The following list shows the supported values: **TextInput/AllowJapaneseIVSCharacters** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -345,7 +349,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows Japanese Ideographic Variation Sequence (IVS) characters. Most restricted value is 0. @@ -366,11 +369,13 @@ The following list shows the supported values: **TextInput/AllowJapaneseNonPublishingStandardGlyph** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -391,7 +396,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the Japanese non-publishing standard glyph. Most restricted value is 0. @@ -412,11 +416,13 @@ The following list shows the supported values: **TextInput/AllowJapaneseUserDictionary** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -437,7 +443,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the Japanese user dictionary. Most restricted value is 0. @@ -458,11 +463,13 @@ The following list shows the supported values: **TextInput/AllowKeyboardTextSuggestions** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -524,11 +531,13 @@ This policy has been deprecated. **TextInput/AllowLanguageFeaturesUninstall** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -549,8 +558,7 @@ This policy has been deprecated. > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - -Allows the uninstall of language features, such as spell checkers, on a device. +Allows the uninstall of language features, such as spell checkers on a device. Most restricted value is 0. @@ -578,11 +586,13 @@ The following list shows the supported values: **TextInput/AllowLinguisticDataCollection** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -623,11 +633,13 @@ This setting supports a range of values between 0 and 1. **TextInput/AllowTextInputSuggestionUpdate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -668,11 +680,13 @@ The following list shows the supported values: **TextInput/ConfigureJapaneseIMEVersion** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -713,11 +727,13 @@ The following list shows the supported values: **TextInput/ConfigureSimplifiedChineseIMEVersion** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -758,11 +774,13 @@ The following list shows the supported values: **TextInput/ConfigureTraditionalChineseIMEVersion** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -783,6 +801,7 @@ The following list shows the supported values: > [!NOTE] > - This policy is enforced only in Windows 10 for desktop. > - This policy requires reboot to take effect. + Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop. @@ -802,11 +821,13 @@ The following list shows the supported values: **TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -848,11 +869,13 @@ The following list shows the supported values: **TextInput/ExcludeJapaneseIMEExceptJIS0208** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -873,7 +896,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the users to restrict character code range of conversion by setting the character filter. @@ -892,11 +914,13 @@ The following list shows the supported values: **TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -917,7 +941,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the users to restrict character code range of conversion by setting the character filter. @@ -936,11 +959,13 @@ The following list shows the supported values: **TextInput/ExcludeJapaneseIMEExceptShiftJIS** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -961,7 +986,6 @@ The following list shows the supported values: > [!NOTE] > The policy is only enforced in Windows 10 for desktop. - Allows the users to restrict character code range of conversion by setting the character filter. @@ -980,11 +1004,13 @@ The following list shows the supported values: **TextInput/ForceTouchKeyboardDockedState** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1021,11 +1047,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardDictationButtonAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1062,11 +1090,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardEmojiButtonAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1103,11 +1133,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardFullModeAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1131,7 +1163,7 @@ Specifies whether the full keyboard mode is enabled or disabled for the touch ke The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. +- 0 (default) - The OS determines, when it's most appropriate to be available. - 1 - Full keyboard is always available. - 2 - Full keyboard is always disabled. @@ -1144,11 +1176,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardHandwritingModeAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1172,7 +1206,7 @@ Specifies whether the handwriting input panel is enabled or disabled. When this The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. +- 0 (default) - The OS determines, when it's most appropriate to be available. - 1 - Handwriting input panel is always available. - 2 - Handwriting input panel is always disabled. @@ -1185,11 +1219,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardNarrowModeAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1213,7 +1249,7 @@ Specifies whether the narrow keyboard mode is enabled or disabled for the touch The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. +- 0 (default) - The OS determines, when it's most appropriate to be available. - 1 - Narrow keyboard is always available. - 2 - Narrow keyboard is always disabled. @@ -1226,11 +1262,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardSplitModeAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1254,7 +1292,7 @@ Specifies whether the split keyboard mode is enabled or disabled for the touch k The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. +- 0 (default) - The OS determines, when it's most appropriate to be available. - 1 - Split keyboard is always available. - 2 - Split keyboard is always disabled. @@ -1267,11 +1305,13 @@ The following list shows the supported values: **TextInput/TouchKeyboardWideModeAvailability** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1295,7 +1335,7 @@ Specifies whether the wide keyboard mode is enabled or disabled for the touch ke The following list shows the supported values: -- 0 (default) - The OS determines when it's most appropriate to be available. +- 0 (default) - The OS determines, when it's most appropriate to be available. - 1 - Wide keyboard is always available. - 2 - Wide keyboard is always disabled. @@ -1305,3 +1345,6 @@ The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md index 09a8420d64..a580e736f3 100644 --- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md +++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - TimeLanguageSettings - -
    @@ -43,11 +41,13 @@ manager: dansimp **TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -97,11 +97,13 @@ ADMX Info: **TimeLanguageSettings/ConfigureTimeZone** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -141,11 +143,13 @@ Specifies the time zone to be applied to the device. This policy name is the sta **TimeLanguageSettings/MachineUILanguageOverwrite** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -195,11 +199,13 @@ ADMX Info: **TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -237,3 +243,6 @@ If you disable or don't configure this policy setting, there's no language featu +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md index b19352d765..d588058db0 100644 --- a/windows/client-management/mdm/policy-csp-troubleshooting.md +++ b/windows/client-management/mdm/policy-csp-troubleshooting.md @@ -12,8 +12,6 @@ ms.date: 09/27/2019 # Policy CSP - Troubleshooting - -
    @@ -32,11 +30,13 @@ ms.date: 09/27/2019 **Troubleshooting/AllowRecommendations** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -54,7 +54,7 @@ ms.date: 09/27/2019 -This policy setting allows IT admins to configure how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments. +This policy setting allows IT admins to configure, how to apply recommended troubleshooting for known problems on the devices in their domains or IT environments. @@ -98,3 +98,6 @@ By default, this policy isn't configured and the SKU based defaults are used for +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fbc41ad17a..4c9d94d790 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -241,11 +241,13 @@ ms.collection: highpri **Update/ActiveHoursEnd** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -263,10 +265,10 @@ ms.collection: highpri -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time. +Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. > [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -290,11 +292,13 @@ ADMX Info: **Update/ActiveHoursMaxRange** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -336,11 +340,13 @@ ADMX Info: **Update/ActiveHoursStart** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -361,7 +367,7 @@ ADMX Info: Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. > [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. @@ -385,11 +391,13 @@ ADMX Info: **Update/AllowAutoUpdate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -411,7 +419,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. -If the policy isn't configured, end-users get the default behavior (Auto install and restart). +If the policy isn't configured, end-users get the default behavior (Auto download and install). @@ -426,18 +434,17 @@ ADMX Info: The following list shows the supported values: -- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 - Turn off automatic updates. - +- 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). +- 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). +- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. +- 5: Turn off automatic updates. +- 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured. > [!IMPORTANT] > This option should be used only for systems under regulatory compliance, as you won't get security updates as well. - @@ -447,11 +454,13 @@ The following list shows the supported values: **Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -469,7 +478,7 @@ The following list shows the supported values: -Option to download updates automatically over metered connections (off by default). Value type is integer. +Option to download updates automatically over metered connections (off by default). The supported value type is integer. A significant number of devices primarily use cellular data and don't have Wi-Fi access, which leads to a lower number of devices getting updates. Since a large number of devices have large data plans or unlimited data, this policy can unblock devices from getting updates. @@ -499,11 +508,13 @@ The following list shows the supported values: **Update/AllowMUUpdateService** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -556,11 +567,13 @@ $MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d") **Update/AllowNonMicrosoftSignedUpdate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -582,7 +595,7 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b Supported operations are Get and Replace. -This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +This policy is specific to desktop and local publishing via WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). This policy allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft, when the update is found on an intranet Microsoft update service location. @@ -600,11 +613,13 @@ The following list shows the supported values: **Update/AllowUpdateService** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -624,7 +639,7 @@ The following list shows the supported values: Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store +Even when Windows Update is configured to receive updates from an intranet update service. It will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft Store. Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working. @@ -655,11 +670,13 @@ The following list shows the supported values: **Update/AutoRestartDeadlinePeriodInDays** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -679,9 +696,9 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. -Value type is integer. Default is seven days. +Supported value type is integer. Default is seven days. Supported values range: 2-30. @@ -692,7 +709,8 @@ If you enable this policy, a restart will automatically occur the specified numb If you disable or don't configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect: -1. No autorestart with signed-in users for scheduled automatic updates installations. + +1. No autorestart with signed-in users for the scheduled automatic updates installations. 2. Always automatically restart at scheduled time. @@ -713,11 +731,13 @@ ADMX Info: **Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -737,9 +757,9 @@ ADMX Info: For Feature Updates, this policy specifies the deadline in days before automatically executing a scheduled restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart is scheduled. -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. -Value type is integer. Default is 7 days. +Supported value type is integer. Default is 7 days. Supported values range: 2-30. @@ -750,7 +770,8 @@ If you enable this policy, a restart will automatically occur the specified numb If you disable or don't configure this policy, the PC will restart according to the default schedule. If any of the following two policies are enabled, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations. + +1. No autorestart with logged on users for the scheduled automatic updates installations. 2. Always automatically restart at scheduled time. @@ -771,11 +792,13 @@ ADMX Info: **Update/AutoRestartNotificationSchedule** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -819,11 +842,13 @@ Supported values are 15, 30, 60, 120, and 240 (minutes). **Update/AutoRestartRequiredNotificationDismissal** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -868,11 +893,13 @@ The following list shows the supported values: **Update/AutomaticMaintenanceWakeUp** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -898,6 +925,7 @@ This policy setting allows you to configure if Automatic Maintenance should make If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if necessary. If you disable or don't configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies. + ADMX Info: @@ -926,11 +954,13 @@ Supported values: **Update/BranchReadinessLevel** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -966,7 +996,7 @@ The following list shows the supported values: - 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) - 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) - 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted). +- 16 {0x10} - (default) General Availability Channel (Targeted). Device gets all applicable feature updates from General Availability Channel (Targeted) - 32 {0x20} - General Availability Channel. Device gets feature updates from General Availability Channel. (*Only applicable to releases prior to 1903, for all releases 1903 and after the General Availability Channel and General Availability Channel (Targeted) into a single General Availability Channel with a value of 16) @@ -978,11 +1008,13 @@ The following list shows the supported values: **Update/ConfigureDeadlineForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1030,11 +1062,13 @@ Default value is 7. **Update/ConfigureDeadlineForQualityUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1082,11 +1116,13 @@ Default value is 7. **Update/ConfigureDeadlineGracePeriod** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1104,7 +1140,7 @@ Default value is 7. -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy isn't, then the default value of 2 will be used. @@ -1117,7 +1153,7 @@ ADMX Info: -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required quality update. Default value is 2. @@ -1135,11 +1171,13 @@ Default value is 2. **Update/ConfigureDeadlineGracePeriodForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1158,7 +1196,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy isn't, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. @@ -1171,7 +1209,7 @@ ADMX Info: -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically, after installing a required feature update. Default value is 2. @@ -1189,11 +1227,13 @@ Default value is 2. **Update/ConfigureDeadlineNoAutoReboot** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1245,11 +1285,13 @@ Supported values: **Update/ConfigureFeatureUpdateUninstallPeriod** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1267,7 +1309,11 @@ Supported values: -Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days. +Enable IT admin to configure feature update uninstall period. + +Values range 2 - 60 days. + +Default is 10 days. @@ -1278,11 +1324,13 @@ Enable IT admin to configure feature update uninstall period. Values range 2 - 6 **Update/DeferFeatureUpdatesPeriodInDays** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1326,11 +1374,13 @@ ADMX Info: **Update/DeferQualityUpdatesPeriodInDays** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1370,11 +1420,13 @@ ADMX Info: **Update/DeferUpdatePeriod** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1395,7 +1447,6 @@ ADMX Info: > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. @@ -1448,11 +1499,13 @@ ADMX Info: **Update/DeferUpgradePeriod** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1473,7 +1526,6 @@ ADMX Info: > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - Allows IT Admins to specify other upgrade delays for up to eight months. Supported values are 0-8, which refers to the number of months to defer upgrades. @@ -1498,11 +1550,13 @@ ADMX Info: **Update/DetectionFrequency** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1540,11 +1594,13 @@ ADMX Info: **Update/DisableDualScan** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1562,13 +1618,14 @@ ADMX Info: -Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. +Don't allow update deferral policies to cause scans against Windows Update. If this policy isn't enabled, then configuring deferral policies will result in the client unexpectedly scanning Windows update. With the policy enabled, those scans are prevented, and users can configure deferral policies as much as they like. For more information about dual scan, see [Demystifying "Dual Scan"](/archive/blogs/wsus/demystifying-dual-scan) and [Improving Dual Scan on 1607](/archive/blogs/wsus/improving-dual-scan-on-1607). This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update." -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -1594,11 +1651,13 @@ The following list shows the supported values: **Update/DisableWUfBSafeguards** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1629,7 +1688,7 @@ IT admins can, if necessary, opt devices out of safeguard protections using this > > The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update. > -> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues. +> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues. @@ -1655,11 +1714,13 @@ The following list shows the supported values: **Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1693,8 +1754,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) - Enforce certificate pinning -- 1 - Don't enforce certificate pinning +- 0 (default) - Enforce certificate pinning. +- 1 - Don't enforce certificate pinning. @@ -1705,11 +1766,13 @@ The following list shows the supported values: **Update/EngagedRestartDeadline** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1729,23 +1792,25 @@ The following list shows the supported values: For Quality Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Autorestart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. -The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system and user busy checks. +The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks. > [!NOTE] > If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period. -Value type is integer. Default is 14. +Supporting value type is integer. + +Default is 14. Supported value range: 2 - 30. -If no deadline is specified or deadline is set to 0, the restart won't be automatically executed and will remain Engaged restart (for example, pending user scheduling). +If no deadline is specified or deadline is set to 0, the restart won't be automatically executed, and will remain Engaged restart (for example, pending user scheduling). If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -1765,11 +1830,13 @@ ADMX Info: **Update/EngagedRestartDeadlineForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1789,7 +1856,9 @@ ADMX Info: For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period. -Value type is integer. Default is 14. +Supported value type is integer. + +Default is 14. Supported value range: 2-30. @@ -1798,9 +1867,9 @@ If no deadline is specified or deadline is set to 0, the restart won't be automa If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -1820,11 +1889,13 @@ ADMX Info: **Update/EngagedRestartSnoozeSchedule** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1844,16 +1915,18 @@ ADMX Info: For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. -Value type is integer. Default is three days. +Supported value type is integer. + +Default is three days. Supported value range: 1-3. If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -1873,11 +1946,13 @@ ADMX Info: **Update/EngagedRestartSnoozeScheduleForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1897,16 +1972,18 @@ ADMX Info: For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days. -Value type is integer. Default is three days. +Supported value type is integer. + +Default is three days. Supported value range: 1-3. If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -1926,11 +2003,13 @@ ADMX Info: **Update/EngagedRestartTransitionSchedule** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1950,16 +2029,18 @@ ADMX Info: For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. Default value is 7 days. +Supported value type is integer. + +Default value is 7 days. Supported value range: 2 - 30. If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -1979,11 +2060,13 @@ ADMX Info: **Update/EngagedRestartTransitionScheduleForFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2003,16 +2086,18 @@ ADMX Info: For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. -Value type is integer. Default value is seven days. +Supported value type is integer. + +Default value is seven days. Supported value range: 2-30. If you disable or don't configure this policy, the default behaviors will be used. If any of the following policies are configured, this policy has no effect: -1. No autorestart with logged on users for scheduled automatic updates installations -2. Always automatically restart at scheduled time -3. Specify deadline before autorestart for update installation +1. No autorestart with logged on users for scheduled automatic updates installations. +2. Always automatically restart at scheduled time. +3. Specify deadline before autorestart for update installation. @@ -2032,11 +2117,13 @@ ADMX Info: **Update/ExcludeWUDriversInQualityUpdate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2081,11 +2168,13 @@ The following list shows the supported values: **Update/FillEmptyContentUrls** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2103,10 +2192,10 @@ The following list shows the supported values: -Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). +Allows Windows Update Agent to determine the download URL when it's missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). > [!NOTE] -> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server. +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service doesn't provide download URLs in the update metadata for files which are available on the alternate download server. @@ -2133,11 +2222,13 @@ The following list shows the supported values: **Update/IgnoreMOAppDownloadLimit** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2186,11 +2277,13 @@ To validate this policy: **Update/IgnoreMOUpdateDownloadLimit** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2239,11 +2332,13 @@ To validate this policy: **Update/ManagePreviewBuilds** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2261,7 +2356,9 @@ To validate this policy: -Used to manage Windows 10 Insider Preview builds. Value type is integer. +Used to manage Windows 10 Insider Preview builds. + +Supported value type is integer. @@ -2276,9 +2373,9 @@ ADMX Info: The following list shows the supported values: -- 0 - Disable Preview builds -- 1 - Disable Preview builds once the next release is public -- 2 - Enable Preview builds +- 0 - Disable Preview builds. +- 1 - Disable Preview builds once the next release is public. +- 2 - Enable Preview builds. @@ -2289,11 +2386,13 @@ The following list shows the supported values: **Update/PauseDeferrals** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2314,10 +2413,8 @@ The following list shows the supported values: > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. @@ -2345,11 +2442,13 @@ The following list shows the supported values: **Update/PauseFeatureUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2368,7 +2467,7 @@ The following list shows the supported values: -Allows IT Admins to pause feature updates for up to 35 days. We recomment that you use the *Update/PauseFeatureUpdatesStartTime* policy if you're running Windows 10, version 1703 or later. +Allows IT Admins to pause feature updates for up to 35 days. We recommend that you use the *Update/PauseFeatureUpdatesStartTime* policy, if you're running Windows 10, version 1703 or later. @@ -2395,11 +2494,13 @@ The following list shows the supported values: **Update/PauseFeatureUpdatesStartTime** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2419,7 +2520,8 @@ The following list shows the supported values: Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date. -Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. +- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). +- Supported operations are Add, Get, Delete, and Replace. @@ -2439,11 +2541,13 @@ ADMX Info: **Update/PauseQualityUpdates** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2488,11 +2592,13 @@ The following list shows the supported values: **Update/PauseQualityUpdatesStartTime** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2512,7 +2618,8 @@ The following list shows the supported values: Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date. -Value type is string (yyyy-mm-dd, ex. 2018-10-28). Supported operations are Add, Get, Delete, and Replace. +- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28). +- Supported operations are Add, Get, Delete, and Replace. @@ -2543,11 +2650,13 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd **Update/ProductVersion** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2580,7 +2689,7 @@ ADMX Info: -Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10". +Supported value type is a string containing a Windows product. For example, "Windows 11" or "11" or "Windows 10". @@ -2593,7 +2702,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro 1. The applicable Windows license was purchased through volume licensing, or -2. That you're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms). +2. You're authorized to bind your organization and are accepting on its behalf the relevant Microsoft Software License Terms to be found here: (https://www.microsoft.com/Useterms).
    @@ -2601,11 +2710,13 @@ By using this Windows Update for Business policy to upgrade devices to a new pro **Update/RequireDeferUpgrade** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2626,7 +2737,6 @@ By using this Windows Update for Business policy to upgrade devices to a new pro > [!NOTE] > Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - Allows the IT admin to set a device to General Availability Channel train. @@ -2652,11 +2762,13 @@ The following list shows the supported values: **Update/RequireUpdateApproval** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|No| +|Windows SE|No|No| |Business|Yes|No| |Enterprise|Yes|No| |Education|Yes|No| @@ -2677,7 +2789,6 @@ The following list shows the supported values: > [!NOTE] > If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved. Supported operations are Get and Replace. @@ -2698,11 +2809,13 @@ The following list shows the supported values: **Update/ScheduleImminentRestartWarning** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2746,11 +2859,13 @@ Supported values are 15, 30, or 60 (minutes). **Update/ScheduleRestartWarning** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2769,8 +2884,7 @@ Supported values are 15, 30, or 60 (minutes). > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Allows the IT Admin to specify the period for autorestart warning reminder notifications. @@ -2798,11 +2912,13 @@ Supported values are 2, 4, 8, 12, or 24 (hours). **Update/ScheduledInstallDay** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2822,7 +2938,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours). Enables the IT admin to schedule the day of the update installation. -The data type is an integer. +Supported data type is an integer. Supported operations are Add, Delete, Get, and Replace. @@ -2857,11 +2973,13 @@ The following list shows the supported values: **Update/ScheduledInstallEveryWeek** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2879,11 +2997,14 @@ The following list shows the supported values: -Enables the IT admin to schedule the update installation on every week. Value type is integer. Supported values: -
      -
    • 0 - no update in the schedule
      • -
    • 1 - update is scheduled every week
      • -
    +Enables the IT admin to schedule the update installation on every week. + +Supported Value type is integer. + +Supported values: +- 0 - no update in the schedule. +- 1 - update is scheduled every week. + @@ -2903,11 +3024,13 @@ ADMX Info: **Update/ScheduledInstallFirstWeek** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2925,11 +3048,14 @@ ADMX Info: -Enables the IT admin to schedule the update installation on the first week of the month. Value type is integer. Supported values: -
      -
    • 0 - no update in the schedule
      • -
    • 1 - update is scheduled every first week of the month
      • -
    +Enables the IT admin to schedule the update installation on the first week of the month. + +Supported value type is integer. + +Supported values: +- 0 - no update in the schedule. +- 1 - update is scheduled every first week of the month. + @@ -2949,11 +3075,13 @@ ADMX Info: **Update/ScheduledInstallFourthWeek** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -2971,11 +3099,14 @@ ADMX Info: -Enables the IT admin to schedule the update installation on the fourth week of the month. Value type is integer. Supported values: -
      -
    • 0 - no update in the schedule
      • -
    • 1 - update is scheduled every fourth week of the month
      • -
    +Enables the IT admin to schedule the update installation on the fourth week of the month. + +Supported value type is integer. + +Supported values: +- 0 - no update in the schedule. +- 1 - update is scheduled every fourth week of the month. + @@ -2995,11 +3126,13 @@ ADMX Info: **Update/ScheduledInstallSecondWeek** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3017,11 +3150,15 @@ ADMX Info: -Enables the IT admin to schedule the update installation on the second week of the month. Value type is integer. Supported values: -
      -
    • 0 - no update in the schedule
      • -
    • 1 - update is scheduled every second week of the month
      • -
    +Enables the IT admin to schedule the update installation on the second week of the month. + +Supported vlue type is integer. + +Supported values: + +- 0 - no update in the schedule. +- 1 - update is scheduled every second week of the month. + @@ -3041,11 +3178,13 @@ ADMX Info: **Update/ScheduledInstallThirdWeek** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3063,11 +3202,14 @@ ADMX Info: -Enables the IT admin to schedule the update installation on the third week of the month. Value type is integer. Supported values: -
      -
    • 0 - no update in the schedule
      • -
    • 1 - update is scheduled every third week of the month
      • -
    +Enables the IT admin to schedule the update installation on the third week of the month. + +Supported value type is integer. + +Supported values: +- 0 - no update in the schedule. +- 1 - update is scheduled every third week of the month. + @@ -3087,11 +3229,13 @@ ADMX Info: **Update/ScheduledInstallTime** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3110,12 +3254,11 @@ ADMX Info: > [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Enables the IT admin to schedule the time of the update installation. -The data type is an integer. +The supported data type is an integer. Supported operations are Add, Delete, Get, and Replace. @@ -3141,11 +3284,13 @@ ADMX Info: **Update/SetAutoRestartNotificationDisable** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3190,11 +3335,13 @@ The following list shows the supported values: **Update/SetDisablePauseUXAccess** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3214,7 +3361,11 @@ The following list shows the supported values: This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature. -Value type is integer. Default is 0. Supported values 0, 1. +Supported value type is integer. + +Default is 0. + +Supported values 0, 1. @@ -3231,11 +3382,13 @@ ADMX Info: **Update/SetDisableUXWUAccess** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3255,7 +3408,11 @@ ADMX Info: This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features. -Value type is integer. Default is 0. Supported values 0, 1. +Supported value type is integer. + +Default is 0. + +Supported values 0, 1. @@ -3272,11 +3429,13 @@ ADMX Info: **Update/SetEDURestart** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3296,7 +3455,7 @@ ADMX Info: For devices in a cart, this policy skips all restart checks to ensure that the reboot will happen at ScheduledInstallTime. -When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. +When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursEnd, and ShareCartPC, it will defer all the update processes (scan, download, install, and reboot) to a time after Active Hours. After a buffer period, after ActiveHoursEnd, the device will wake up several times to complete the processes. All processes are blocked before ActiveHoursStart. @@ -3322,11 +3481,13 @@ The following list shows the supported values: **Update/SetPolicyDrivenUpdateSourceForDriver** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3352,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOther >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3366,8 +3527,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Driver from Windows Update -- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS) +- 0: (Default) Detect, download, and deploy Driver from Windows Update. +- 1: Enabled, Detect, download, and deploy Driver from Windows Server Update Server (WSUS). @@ -3378,11 +3539,13 @@ The following list shows the supported values: **Update/SetPolicyDrivenUpdateSourceForFeature** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3408,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOther >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3422,8 +3585,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Feature from Windows Update -- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS) +- 0: (Default) Detect, download, and deploy Feature from Windows Update. +- 1: Enabled, Detect, download, and deploy Feature from Windows Server Update Server (WSUS). @@ -3434,11 +3597,13 @@ The following list shows the supported values: **Update/SetPolicyDrivenUpdateSourceForOther** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3464,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForDriver >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3478,8 +3643,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Other from Windows Update -- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS) +- 0: (Default) Detect, download, and deploy Other from Windows Update. +- 1: Enabled, Detect, download, and deploy Other from Windows Server Update Server (WSUS). @@ -3490,11 +3655,13 @@ The following list shows the supported values: **Update/SetPolicyDrivenUpdateSourceForQuality** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3520,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOther >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3534,8 +3701,8 @@ ADMX Info: The following list shows the supported values: -- 0: (Default) Detect, download, and deploy Quality from Windows Update -- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS) +- 0: (Default) Detect, download, and deploy Quality from Windows Update. +- 1: Enabled, Detect, download, and deploy Quality from Windows Server Update Server (WSUS). @@ -3546,11 +3713,13 @@ The following list shows the supported values: **Update/SetProxyBehaviorForUpdateDetection** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3587,6 +3756,7 @@ The following list shows the supported values: - 0 (default) - Allow system proxy only for HTTP scans. - 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. + > [!NOTE] > Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. @@ -3599,11 +3769,13 @@ The following list shows the supported values: **Update/TargetReleaseVersion** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3622,6 +3794,7 @@ The following list shows the supported values: Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](/windows/release-health/release-information/). + ADMX Info: @@ -3633,7 +3806,7 @@ ADMX Info: -Value type is a string containing Windows 10 version number. For example, 1809, 1903. +Supported value type is a string containing Windows 10 version number. For example, 1809, 1903. @@ -3649,11 +3822,13 @@ Value type is a string containing Windows 10 version number. For example, 1809, **Update/UpdateNotificationLevel** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3675,9 +3850,9 @@ Display options for update notifications. This policy allows you to define what Options: -- 0 (default) - Use the default Windows Update notifications -- 1 - Turn off all notifications, excluding restart warnings -- 2 - Turn off all notifications, including restart warnings +- 0 (default) - Use the default Windows Update notifications. +- 1 - Turn off all notifications, excluding restart warnings. +- 2 - Turn off all notifications, including restart warnings. > [!IMPORTANT] > If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk. @@ -3708,11 +3883,13 @@ ADMX Info: **Update/UpdateServiceUrl** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3782,11 +3959,13 @@ Example **Update/UpdateServiceUrlAlternate** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -3808,9 +3987,9 @@ Specifies an alternate intranet server to host updates from Microsoft Update. Yo This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. +To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. -Value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +Supported value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. > [!NOTE] > If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. @@ -3831,3 +4010,7 @@ ADMX Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 3d13322718..9d126f072e 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - UserRights -
    User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab). @@ -77,7 +76,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s > [!NOTE] > `` is the entity encoding of 0xF000. -For example, the following syntax grants user rights to Authenticated Users and Replicator user groups: +For example, the following syntax grants user rights to Authenticated Users and Replicator user groups.: ```xml @@ -197,11 +196,13 @@ For example, the following syntax grants user rights to a specific user or group **UserRights/AccessCredentialManagerAsTrustedCaller** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -236,11 +237,13 @@ GP Info: **UserRights/AccessFromNetwork** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -259,6 +262,7 @@ GP Info: This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services isn't affected by this user right. + > [!NOTE] > Remote Desktop Services was called Terminal Services in previous versions of Windows Server. @@ -277,11 +281,13 @@ GP Info: **UserRights/ActAsPartOfTheOperatingSystem** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -300,6 +306,7 @@ GP Info: This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. + > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. @@ -318,11 +325,13 @@ GP Info: **UserRights/AllowLocalLogOn** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -341,6 +350,7 @@ GP Info: This user right determines which users can sign in to the computer. + > [!NOTE] > Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website. @@ -359,11 +369,13 @@ GP Info: **UserRights/BackupFilesAndDirectories** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -382,6 +394,7 @@ GP Info: This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read. + > [!CAUTION] > Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only. @@ -400,11 +413,13 @@ GP Info: **UserRights/ChangeSystemTime** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -423,8 +438,9 @@ GP Info: This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. + > [!CAUTION] -> Configuring user rights replaces existing users or groups previously assigned those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy. +> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy. > > Not including the Local Service account will result in failure with the following error: > @@ -447,11 +463,13 @@ GP Info: **UserRights/CreateGlobalObjects** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -470,6 +488,7 @@ GP Info: This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. + > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. @@ -488,11 +507,13 @@ GP Info: **UserRights/CreatePageFile** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -527,11 +548,13 @@ GP Info: **UserRights/CreatePermanentSharedObjects** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -566,11 +589,13 @@ GP Info: **UserRights/CreateSymbolicLinks** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -589,8 +614,10 @@ GP Info: This user right determines if the user can create a symbolic link from the computer they're signed in to. + > [!CAUTION] > This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. + > [!NOTE] > This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links. @@ -609,11 +636,13 @@ GP Info: **UserRights/CreateToken** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -632,6 +661,7 @@ GP Info: This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. + > [!CAUTION] > Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. @@ -650,11 +680,13 @@ GP Info: **UserRights/DebugPrograms** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -673,6 +705,7 @@ GP Info: This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications don't need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. + > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. @@ -691,11 +724,13 @@ GP Info: **UserRights/DenyAccessFromNetwork** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -713,7 +748,7 @@ GP Info: -This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. +This user right determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access to this computer from the network policy setting if a user account is subject to both policies. @@ -730,11 +765,13 @@ GP Info: **UserRights/DenyLocalLogOn** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -772,11 +809,13 @@ GP Info: **UserRights/DenyRemoteDesktopServicesLogOn** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -811,11 +850,13 @@ GP Info: **UserRights/EnableDelegation** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -834,6 +875,7 @@ GP Info: This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account doesn't have the Account can't be delegated account control flag set. + > [!CAUTION] > Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources. @@ -852,11 +894,13 @@ GP Info: **UserRights/GenerateSecurityAudits** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -891,11 +935,13 @@ GP Info: **UserRights/ImpersonateClient** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -914,14 +960,19 @@ GP Info: Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. + > [!CAUTION] > Assigning this user right can be a security risk. Assign this user right to trusted users only. + > [!NOTE] > By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. -1) The access token that is being impersonated is for this user. -2) The user, in this sign-in session, created the access token by signing in to the network with explicit credentials. -3) The requested level is less than Impersonate, such as Anonymous or Identify. + +1. The access token that is being impersonated is for this user. +1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials. +1. The requested level is less than Impersonate, such as Anonymous or Identify. + Because of these factors, users don't usually need this user right. + > [!WARNING] > If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run. @@ -940,11 +991,13 @@ GP Info: **UserRights/IncreaseSchedulingPriority** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -984,11 +1037,13 @@ GP Info: **UserRights/LoadUnloadDeviceDrivers** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1007,6 +1062,7 @@ GP Info: This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right doesn't apply to Plug and Play device drivers. It's recommended that you don't assign this privilege to other users. + > [!CAUTION] > Assigning this user right can be a security risk. Don't assign this user right to any user, group, or process that you don't want to take over the system. @@ -1025,11 +1081,13 @@ GP Info: **UserRights/LockMemory** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1064,11 +1122,13 @@ GP Info: **UserRights/ManageAuditingAndSecurityLog** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1103,11 +1163,13 @@ GP Info: **UserRights/ManageVolume** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1125,7 +1187,7 @@ GP Info: -This user right determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. +This user right determines which users and groups can run maintenance tasks on a volume, such as remote de-fragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are opened, the user might be able to read and modify the acquired data. @@ -1142,11 +1204,13 @@ GP Info: **UserRights/ModifyFirmwareEnvironment** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1165,6 +1229,7 @@ GP Info: This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows. + > [!NOTE] > This security setting doesn't affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties. @@ -1183,11 +1248,13 @@ GP Info: **UserRights/ModifyObjectLabel** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1222,11 +1289,13 @@ GP Info: **UserRights/ProfileSingleProcess** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1261,11 +1330,13 @@ GP Info: **UserRights/RemoteShutdown** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1300,11 +1371,13 @@ GP Info: **UserRights/RestoreFilesAndDirectories** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1323,6 +1396,7 @@ GP Info: This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write. + > [!CAUTION] > Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only. @@ -1341,11 +1415,13 @@ GP Info: **UserRights/TakeOwnership** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1364,6 +1440,7 @@ GP Info: This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. + > [!CAUTION] > Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only. @@ -1378,3 +1455,7 @@ GP Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md index 2ca5d714a9..4d39b65348 100644 --- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md +++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md @@ -28,18 +28,19 @@ manager: dansimp -
    **VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -57,7 +58,7 @@ manager: dansimp -Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). +Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). >[!NOTE] >After the policy is pushed, a system reboot will be required to change the state of HVCI. @@ -66,9 +67,9 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity The following are the supported values: -- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock -- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock -- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock +- 0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock. +- 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. +- 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock. @@ -84,11 +85,13 @@ The following are the supported values: **VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -106,7 +109,7 @@ The following are the supported values: -Allows the IT admin to control the state of Hypervisor-protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). +Allows the IT admin to control the state of Hypervisor-Protected Code Integrity (HVCI) on devices. HVCI is a feature within Virtualization Based Security, and is frequently referred to as Memory integrity. Learn more [here](/windows-hardware/design/device-experiences/oem-vbs). >[!NOTE] >After the policy is pushed, a system reboot will be required to change the state of HVCI. @@ -116,8 +119,8 @@ Allows the IT admin to control the state of Hypervisor-protected Code Integrity The following are the supported values: -- 0: (Disabled) Do not require UEFI Memory Attributes Table -- 1: (Enabled) Require UEFI Memory Attributes Table +- 0: (Disabled) Do not require UEFI Memory Attributes Table. +- 1: (Enabled) Require UEFI Memory Attributes Table. @@ -131,3 +134,6 @@ The following are the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 0f2a4df17d..5306104d5c 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -69,6 +69,7 @@ This policy has been deprecated. |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -119,6 +120,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -169,6 +171,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -214,6 +217,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -256,6 +260,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -296,6 +301,7 @@ The following list shows the supported values: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md index 1dc3fde74d..5f934b05bd 100644 --- a/windows/client-management/mdm/policy-csp-windowsautopilot.md +++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md @@ -39,6 +39,7 @@ manager: dansimp |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -72,3 +73,6 @@ This policy enables Windows Autopilot to be kept up-to-date during the out-of-bo
    + +## Related topics +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md index dd72a9ae8b..efce371108 100644 --- a/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md +++ b/windows/client-management/mdm/policy-csp-windowsconnectionmanager.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - WindowsConnectionManager - -
    @@ -34,11 +32,13 @@ manager: dansimp **WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -60,23 +60,25 @@ This policy setting prevents computers from connecting to both a domain-based ne If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: -Automatic connection attempts +Automatic connection attempts: + - When the computer is already connected to a domain-based network, all automatic connection attempts to non-domain networks are blocked. - When the computer is already connected to a non-domain-based network, automatic connection attempts to domain-based networks are blocked. -Manual connection attempts -- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. -- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. +Manual connection attempts: + +- When the computer is already connected to either a non-domain-based network or a domain-based network over media other than Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing network connection is disconnected and the manual connection is allowed. +- When the computer is already connected to either a non-domain-based network or a domain-based network over Ethernet, and a user attempts to create a manual connection to another network in violation of this policy setting, then an existing Ethernet connection is maintained and the manual connection attempt is blocked. If this policy setting isn't configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -89,6 +91,8 @@ ADMX Info:
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index f7a519d956..665a0824e5 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -14,10 +14,10 @@ manager: dansimp # Policy CSP - WindowsDefenderSecurityCenter -
    + ## WindowsDefenderSecurityCenter policies
    @@ -89,18 +89,19 @@ manager: dansimp
    -
    **WindowsDefenderSecurityCenter/CompanyName** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -120,10 +121,12 @@ manager: dansimp The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options. -Value type is string. Supported operations are Add, Get, Replace and Delete. +- Supported value type is string. +- Supported operations are Add, Get, Replace and Delete. + ADMX Info: - GP Friendly name: *Specify contact company name* - GP name: *EnterpriseCustomization_CompanyName* @@ -140,11 +143,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/DisableAccountProtectionUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -188,11 +193,13 @@ Valid values: **WindowsDefenderSecurityCenter/DisableAppBrowserUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -212,7 +219,8 @@ Valid values: Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -238,11 +246,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableClearTpmButton** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -262,14 +272,9 @@ The following list shows the supported values: Disable the Clear TPM button in Windows Security. -Enabled: -The Clear TPM button will be unavailable for use. - -Disabled: -The Clear TPM button will be available for use on supported systems. - -Not configured: -Same as Disabled. +- Enabled: The Clear TPM button will be unavailable for use. +- Disabled: The Clear TPM button will be available for use on supported systems. +- Not configured: Same as Disabled. Supported values: @@ -302,11 +307,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/DisableDeviceSecurityUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -350,11 +357,13 @@ Valid values: **WindowsDefenderSecurityCenter/DisableEnhancedNotifications** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -377,7 +386,8 @@ Use this policy if you want Windows Defender Security Center to only display not > [!NOTE] > If Suppress notification is enabled then users won't see critical or non-critical messages. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -403,11 +413,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableFamilyUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -427,7 +439,8 @@ The following list shows the supported values: Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -453,11 +466,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableHealthUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -477,7 +492,8 @@ The following list shows the supported values: Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -503,11 +519,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableNetworkUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -527,7 +545,8 @@ The following list shows the supported values: Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -553,11 +572,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableNotifications** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -577,7 +598,8 @@ The following list shows the supported values: Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -603,11 +625,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -627,14 +651,9 @@ The following list shows the supported values: Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. -Enabled: -Users won't be shown a recommendation to update their TPM Firmware. - -Disabled: -Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. - -Not configured: -Same as Disabled. +- Enabled: Users won't be shown a recommendation to update their TPM Firmware. +- Disabled: Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmware. +- Not configured: Same as Disabled. Supported values: @@ -667,11 +686,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/DisableVirusUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -691,7 +712,8 @@ ADMX Info: Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -717,11 +739,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -741,7 +765,8 @@ The following list shows the supported values: Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area. -Value type is integer. Supported operations are Add, Get, Replace and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace and Delete. @@ -767,11 +792,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/Email** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -789,9 +816,10 @@ The following list shows the supported values: -The email address that is displayed to users.  The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. +The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. -Value type is string. Supported operations are Add, Get, Replace and Delete. +- Supported value type is string. +- Supported operations are Add, Get, Replace and Delete. @@ -811,11 +839,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/EnableCustomizedToasts** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -835,7 +865,8 @@ ADMX Info: Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +- Supported value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -861,11 +892,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/EnableInAppCustomization** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -885,7 +918,8 @@ The following list shows the supported values: Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification. -Value type is integer. Supported operations are Add, Get, Replace, and Delete. +- Support value type is integer. +- Supported operations are Add, Get, Replace, and Delete. @@ -911,11 +945,13 @@ The following list shows the supported values: **WindowsDefenderSecurityCenter/HideRansomwareDataRecovery** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -959,11 +995,13 @@ Valid values: **WindowsDefenderSecurityCenter/HideSecureBoot** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1007,11 +1045,13 @@ Valid values: **WindowsDefenderSecurityCenter/HideTPMTroubleshooting** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1055,11 +1095,13 @@ Valid values: **WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1081,14 +1123,9 @@ This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in or reboot the computer for this setting to take effect. -Enabled: -Windows Security notification area control will be hidden. - -Disabled: -Windows Security notification area control will be shown. - -Not configured: -Same as Disabled. +- Enabled: Windows Security notification area control will be hidden. +- Disabled: Windows Security notification area control will be shown. +- Not configured: Same as Disabled. Supported values: @@ -1121,11 +1158,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/Phone** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1143,9 +1182,10 @@ ADMX Info: -The phone number or Skype ID that is displayed to users.  Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. +The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -1165,11 +1205,13 @@ ADMX Info: **WindowsDefenderSecurityCenter/URL** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -1189,7 +1231,8 @@ ADMX Info: The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options. -Value type is string. Supported operations are Add, Get, Replace, and Delete. +- Supported value type is string. +- Supported operations are Add, Get, Replace, and Delete. @@ -1205,3 +1248,7 @@ ADMX Info:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md index 6daf010d04..b6cd4ac1ab 100644 --- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md +++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - WindowsInkWorkspace -
    @@ -29,18 +28,19 @@ manager: dansimp -
    **WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -84,11 +84,13 @@ The following list shows the supported values: **WindowsInkWorkspace/AllowWindowsInkWorkspace** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -119,7 +121,7 @@ ADMX Info: -Value type is int. The following list shows the supported values: +Supported value type is int. The following list shows the supported values: - 0 - access to ink workspace is disabled. The feature is turned off. - 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. @@ -131,3 +133,6 @@ Value type is int. The following list shows the supported values: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 4998d7eaf9..4951a14248 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - WindowsLogon - -
    @@ -52,18 +50,19 @@ manager: dansimp > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -
    **WindowsLogon/AllowAutomaticRestartSignOn** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -120,11 +119,13 @@ ADMX Info: **WindowsLogon/ConfigAutomaticRestartSignOn** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -181,11 +182,13 @@ ADMX Info: **WindowsLogon/DisableLockScreenAppNotifications** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -227,11 +230,13 @@ ADMX Info: **WindowsLogon/DontDisplayNetworkSelectionUI** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -298,11 +303,13 @@ ADMX Info: **WindowsLogon/EnableFirstLogonAnimation** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -359,11 +366,13 @@ Supported values: **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -405,11 +414,13 @@ ADMX Info: **WindowsLogon/HideFastUserSwitching** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -457,3 +468,6 @@ To validate on Desktop, do the following steps: +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowspowershell.md b/windows/client-management/mdm/policy-csp-windowspowershell.md index 13e24a3f5d..2aa49f3cfb 100644 --- a/windows/client-management/mdm/policy-csp-windowspowershell.md +++ b/windows/client-management/mdm/policy-csp-windowspowershell.md @@ -14,8 +14,6 @@ manager: dansimp # Policy CSP - WindowsPowerShell - -
    @@ -34,11 +32,13 @@ manager: dansimp **WindowsPowerShell/TurnOnPowerShellScriptBlockLogging** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -57,19 +57,18 @@ manager: dansimp -This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, -Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. +This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through automation. If you disable this policy setting, logging of PowerShell script input is disabled. -If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script -starts or stops. Enabling Invocation Logging generates a high volume of event logs. +If you enable the Script Block Invocation Logging, PowerShell additionally logs events when invocation of a command, script block, function, or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. -Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. +> [!NOTE] +> This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting. > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). > @@ -86,6 +85,8 @@ ADMX Info:
    - +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md index 02edfd6f6e..8a946c0358 100644 --- a/windows/client-management/mdm/policy-csp-windowssandbox.md +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -39,7 +39,6 @@ ms.date: 10/14/2020 -
    @@ -48,11 +47,13 @@ ms.date: 10/14/2020 Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -118,11 +119,13 @@ The following are the supported values: Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -142,7 +145,7 @@ Available in the latest Windows 10 insider preview build. This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. -If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled. +If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled). If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file. @@ -185,11 +188,13 @@ The following are the supported values: Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -250,11 +255,13 @@ The following are the supported values: Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -272,7 +279,7 @@ Available in the latest Windows 10 insider preview build. -This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. +This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. If this policy isn't configured, end-users get the default behavior (printer sharing disabled). @@ -316,11 +323,13 @@ The following are the supported values: Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -385,11 +394,13 @@ The following are the supported values: Available in the latest Windows 10 insider preview build. +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -448,3 +459,7 @@ The following are the supported values:
    + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index ac5e6d69fd..54953f93ee 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -56,11 +56,13 @@ manager: dansimp **WirelessDisplay/AllowMdnsAdvertisement** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -96,11 +98,13 @@ The following list shows the supported values: **WirelessDisplay/AllowMdnsDiscovery** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -136,11 +140,13 @@ The following list shows the supported values: **WirelessDisplay/AllowMovementDetectionOnInfrastructure** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -183,11 +189,13 @@ The following list shows the supported values: **WirelessDisplay/AllowProjectionFromPC** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -223,11 +231,13 @@ The following list shows the supported values: **WirelessDisplay/AllowProjectionFromPCOverInfrastructure** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -263,11 +273,13 @@ The following list shows the supported values: **WirelessDisplay/AllowProjectionToPC** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -289,7 +301,7 @@ Allow or disallow turning off the projection to a PC. If you set it to 0 (zero), your PC isn't discoverable and you can't project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. -Value type is integer. +Supported value type is integer. @@ -315,11 +327,13 @@ The following list shows the supported values: **WirelessDisplay/AllowProjectionToPCOverInfrastructure** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -355,11 +369,13 @@ The following list shows the supported values: **WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -395,11 +411,13 @@ The following list shows the supported values: **WirelessDisplay/RequirePinForPairing** +The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -421,7 +439,7 @@ Allow or disallow requirement for a PIN for pairing. If you turn on this policy, the pairing ceremony for new devices will always require a PIN. If you turn off this policy or don't configure it, a PIN isn't required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. -Value type is integer. +Supported value type is integer. @@ -444,3 +462,7 @@ The following list shows the supported values: +CSP Article: + +## Related topics +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md deleted file mode 100644 index ecef629054..0000000000 --- a/windows/client-management/mdm/policymanager-csp.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: PolicyManager CSP -description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP. -ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/28/2017 ---- - -# PolicyManager CSP - -PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead. - - - -## Related articles - -[Policy CSP](policy-configuration-service-provider.md) - -[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index 6e19fc3072..90ae19604d 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # Provisioning CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md deleted file mode 100644 index 33a8847c7f..0000000000 --- a/windows/client-management/mdm/proxy-csp.md +++ /dev/null @@ -1,127 +0,0 @@ ---- -title: PROXY CSP -description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections. -ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 ---- - -# PROXY CSP - - -The PROXY configuration service provider is used to configure proxy connections. - -> [!NOTE] -> Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release. - -This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - -For the PROXY CSP, you can't use the Replace command unless the node already exists. - -The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider. - -``` -./Vendor/MSFT/Proxy -----* ---------ProxyId ---------Name ---------AddrType ---------Addr ---------AddrFQDN ---------ConRefs -------------* -----------------ConRef ---------Domains -------------* -----------------DomainName ---------Ports -------------* -----------------PortNbr -----------------Services ---------------------* -------------------------ServiceName ---------ProxyType ---------ProxyParams -------------WAP -----------------Trust -----------------PushEnabled ---------Ext -------------Microsoft -----------------Guid -``` - -**./Vendor/MSFT/Proxy** -Root node for the proxy connection. - -***ProxyName*** -Defines the name of a proxy connection. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). - -The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction. - -***ProxyName*/PROXYID** -Specifies the unique identifier of the proxy connection. - -***ProxyName*/NAME** -Specifies the user-friendly name of the proxy connection. - -***ProxyName*/ADDR** -Specifies the address of the proxy server. - -This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection. - -***ProxyName*/ADDRTYPE** -Specifies the type of address used to identify the proxy server. - -The valid values are IPV4, IPV6, E164, ALPHA. - -***ProxyName*/PROXYTYPE** -Specifies the type of proxy connection. - -Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL. - -***ProxyName*/Ports** -Node for port information. - -***ProxyName*/Ports/_PortName_** -Defines the name of a port. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. - -***ProxyName*/Ports/*PortName*/PortNbr** -Specifies the port number to be associated with the parent port. - -***ProxyName*/Ports/*PortName*/Services** -Node for services information. - -***ProxyName*/Ports/Services/_ServiceName_** -Defines the name of a service. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. - -***ProxyName*/Ports/Services/*ServiceName*/ServiceName** -Specifies the protocol to be associated with the parent port. - -One commonly used value is "HTTP". - -***ProxyName*/ConRefs** -Node for connection reference information - -***ProxyName*/ConRefs/_ConRefName_** -Defines the name of a connection reference. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. - -***ProxyName*/ConRefs/*ConRefName*/ConRef** -Specifies one single connectivity object associated with the proxy connection. - -## Related topics - -[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index cc8752d76b..6401374804 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -14,7 +14,6 @@ ms.date: 06/26/2017 # PXLOGICAL configuration service provider - The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. > [!NOTE] diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 7403425b15..809e9c49fa 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 83a95ac493..3e3b8ff7a0 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -189,13 +190,3 @@ Supported operation is Get. ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 0771489578..892812a101 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index fd6c701600..7748b792e0 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -87,7 +88,7 @@ Specifies the ending time for retrieving logs. - Supported operations are Get and Replace. **Type** -Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the WIP learning logs. +Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs. - Value type is integer. - Supported operations are Get and Replace. diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 5d51a77945..e4a1e8600c 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index ca841ad032..06af135189 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index b9b7d48b42..12c12195b2 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index c3018f398a..567c6f4989 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -230,13 +231,3 @@ The default in the SharedPC provisioning package is 1024. ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 61cb297fdf..6e89265fcb 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -14,6 +14,17 @@ ms.date: 09/12/2019 # SUPL CSP +The SUPL configuration service provider is used to configure the location client, as shown in the following: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -32,7 +43,7 @@ The SUPL configuration service provider is used to configure the location client - Address of the server—a mobile positioning center for non-trusted mode. - The positioning method used by the MPC for non-trusted mode. -The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted, a new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used. +The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted. A new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used. The following example shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning. @@ -83,7 +94,7 @@ Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) serve If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3. -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned. But the configuration service provider will continue processing the rest of the parameters. **Version** Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator. @@ -94,9 +105,9 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL. -This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC. +This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC. -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **HighAccPositioningMethod** Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: @@ -110,16 +121,12 @@ Optional. Specifies the positioning method that the SUPL client will use for mob |4|OTDOA| |5|AFLT| -  - The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. > [!IMPORTANT] > The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes. -  - -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. @@ -133,7 +140,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu |Off|0|Yes| |Off|1|No (unless privacyOverride is set)| - When the location toggle is set to Off and this value is set to 1, the following application requests will fail: - `noNotificationNoVerification` @@ -148,12 +154,12 @@ However, if `privacyOverride` is set in the message, the location will be return When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **NIDefaultTimeout** -Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. +Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. +This value manages the settings for SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. **ServerAccessInterval** Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. @@ -216,10 +222,10 @@ Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root ce Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. **MPC** -Optional. The address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. +Optional. Specifies the address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. **PDE** -Optional. The address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty. +Optional. Specifies the address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty. **PositioningMethod\_MR** Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: @@ -238,13 +244,12 @@ The default is 0. The default method provides high-quality assisted GNSS positio > The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.   - -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1. -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. |Location toggle setting|LocMasterSwitchDependencyNII setting|NI request processing allowed| |--- |--- |--- | @@ -267,22 +272,21 @@ However, if `privacyOverride` is set in the message, the location will be return When the location toggle is set to Off and this value is set to 0, the location toggle doesn't prevent SUPL network-initiated requests from working. -For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. +For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **ApplicationTypeIndicator\_MR** Required. This value must always be set to `00000011`. **NIDefaultTimeout** -Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. +Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. -This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used. **ServerAccessInterval** Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. ## Unsupported Nodes - The following optional nodes aren't supported on Windows devices. - ProviderID @@ -305,7 +309,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove ## OMA Client Provisioning examples - Adding new configuration information for an H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -330,7 +333,7 @@ Adding new configuration information for an H-SLP server for SUPL. Values in ita ``` -Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. +Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value. ```xml @@ -361,7 +364,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be ## OMA DM examples - Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -436,7 +438,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc ## Microsoft Custom Elements - The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. |Elements|Available| diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 301db5eab6..3828794610 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -14,7 +14,7 @@ ms.date: 07/28/2017 # SurfaceHub CSP -The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. +The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later. The following example shows the SurfaceHub CSP management objects in tree format. @@ -240,7 +240,7 @@ If there's an error calling ValidateAndCommit, there's another context for that | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. | | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure the ExchangeServer field is valid. | | 5 | Saving account information | Unable to save account details to the system. | -| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. | +| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. | It performs the following: - The data type is integer. @@ -321,7 +321,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed. **InBoxApps/Whiteboard/SigninDisabled** -Sign-in from the Whiteboard app aren't allowed. +Sign-ins from the Whiteboard app aren't allowed. - The data type is boolean. - Supported operation is Get and Replace. @@ -548,4 +548,8 @@ GUID identifying the Microsoft Operations Management Suite workspace ID to colle Primary key for authenticating with the workspace. - The data type is string. -- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. \ No newline at end of file +- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index 61939e6c29..a4b4565694 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index bf47fbcbfc..a95c47c94f 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -828,12 +828,8 @@ items: href: policy-csp-windowssandbox.md - name: WirelessDisplay href: policy-csp-wirelessdisplay.md - - name: PolicyManager CSP - href: policymanager-csp.md - name: Provisioning CSP href: provisioning-csp.md - - name: PROXY CSP - href: proxy-csp.md - name: PXLOGICAL CSP href: pxlogical-csp.md - name: Reboot CSP @@ -908,6 +904,11 @@ items: items: - name: UnifiedWriteFilter DDF file href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md - name: Update CSP href: update-csp.md items: diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 0c7915fe7c..18a3515e60 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -13,10 +13,20 @@ manager: dansimp # TPMPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on) from Windows and inbox applications to public IP addresses, unless directly intended by the user. This definition allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. -The TPMPolicy CSP was added in Windows 10, version 1703. +The TPMPolicy CSP was added in Windows 10, version 1703, and later. The following example shows the TPMPolicy configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 8a3a6d1f58..5b7c5a00a1 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -13,8 +13,18 @@ manager: dansimp # UEFI CSP +The table below shows the applicability of Windows: -The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later. > [!NOTE] > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). @@ -51,7 +61,7 @@ Uefi ``` The following list describes the characteristics and parameters. -**./Vendor/MSFT/Uefi** +**./Vendor/MSFT/UEFI** Root node. **DeviceIdentifier** @@ -80,7 +90,7 @@ Retrieves the binary result package of the previous Identity/Apply operation. Supported operation is Get. **Permissions** -Node for settings permission operations.. +Node for settings permission operations. **Permissions/Current** Retrieves XML from UEFI that describes the current UEFI settings permissions. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 1904740772..43ef78e8bb 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # UnifiedWriteFilter CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|No| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. @@ -315,7 +325,6 @@ Supported operations are Get and Execute. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md new file mode 100644 index 0000000000..e7ca5d359c --- /dev/null +++ b/windows/client-management/mdm/universalprint-csp.md @@ -0,0 +1,110 @@ +--- +title: UniversalPrint CSP +description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. +ms.author: mandia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MandiOhlinger +ms.date: 06/02/2022 +ms.reviewer: jimwu +manager: dougeby +--- + +# UniversalPrint CSP + +The table below shows the applicability of Windows: + +|Edition|Windows 11| +|--- |--- | +|Home|No| +|Pro|Yes| +|Windows SE|Yes| +|Business|Yes| +|Enterprise|Yes| +|Education|Yes| + +The UniversalPrint configuration service provider (CSP) is used to add Universal Print-compatible printers to Windows client endpoints. Universal Print is a cloud-based printing solution that runs entirely in Microsoft Azure. It doesn't require any on-premises infrastructure. For more specific information, go to [What is Universal Print](/universal-print/fundamentals/universal-print-whatis). + +This CSP was added in Windows 11. + +The following example shows the UniversalPrint configuration service provider in tree format. + +```console +./Vendor/MSFT +PrinterProvisioning +----UPPrinterInstalls +-------- (PrinterSharedID) +--------CloudDeviceID +--------PrinterSharedName +--------Install +--------Status +--------ErrorCode +``` + +**./Vendor/MSFT/PrinterProvisioning** +The root node for the Universal Print PrinterProvisioning configuration service provider. + +**UPPrinterInstalls** + +This setting will install or uninstall a specific printer to a targeted user account. + +Valid values: + +- Install (default) - The printer is installed. +- Uninstall - The printer is uninstalled. + +The data type is node (XML node). Supported operation is Get. + +**`` (PrinterSharedID)** + +The Share ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). + +The data type is node (XML node). Supported operations are Get, Add, and Delete. + +> [!NOTE] +> The targeted user account must have access rights to the printer and to the Universal Print service. + +**CloudDeviceID** + +The Printer ID is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Printer ID in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). + +The data type is string/text (GUID). Supported operations are Get, Add, Delete, and Replace. + +> [!NOTE] +> The targeted user account must have access rights to the printer and to the Universal Print service. + +**PrinterSharedName** + +The Share Name is used to identify the Universal Print printer you want to install on the targeted user account. You can get the printer's Share Name in the printer's properties in the [Universal Print portal](/universal-print/portal/navigate-up). + +The data type is string/text. Supported operations are Get, Add, Delete, and Replace. + +> [!NOTE] +> The targeted user account must have access rights to the printer and to the Universal Print service. + +**Install** + +Installs the Universal Print printer. Supports async execute. + +The data type is string/text (empty string). Supported operations are Get and Execute. + +**Status** + +The result status of the printer installation. + +Valid values: + +- 1 (default) - Installation completed successfully. +- 2 - Installation is in progress after receiving execute cmd. +- 4 - Installation failed. +- 8 - Installation initial status +- 32 - Unknown (not used) + +The data type is int. Supported operations is Get. + +**ErrorCode** + +HRESULT of the last installation returned code. + +The data type is int. Supported operation is Get. diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md new file mode 100644 index 0000000000..cc624c9c29 --- /dev/null +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -0,0 +1,214 @@ +--- +title: UniversalPrint DDF file +description: UniversalPrint DDF file +ms.author: mandia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MandiOhlinger +ms.date: 06/02/2022 +ms.reviewer: jimwu +manager: dougeby +--- + +# UniversalPrint DDF file + +This article shows the OMA DM device description framework (DDF) for the **UniversalPrint** configuration service provider. + +Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). + +The XML below is the current version for this CSP. + +```xml + +]> + + 1.2 + + PrinterProvisioning + ./User/Vendor/MSFT + + + + + Printer Provisioning + + + + + + + + + + + com.microsoft/1.0/MDM/PrinterProvisioning + + + + UPPrinterInstalls + + + + + This setting will take the action on the specified user account to install or uninstall the specified printer. Install action is selected by default. + + + + + + + + + + + + + + + + + + + + + + Identifies the Universal Print printer, by its Share ID, you wish to install on the targeted user account. The printer's Share ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + PrinterSharedID + + + + + PrinterSharedID from the Universal Print system, which is used to discover and install Univeral Print printer + + + + + + CloudDeviceID + + + + + + + + Identifies the Universal Print printer, by its Printer ID, you wish to install on the targeted user account. The printer's Printer ID can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + + text/plain + + + + + Install + + + + + + Support async execute. Install Universal Print printer. + + + + + + + + + + + text/plain + + + + + Status + + + + + 1 finished installation successfully, 2 installation in progress after receiving execute cmd, 4 installation failed, 8 installation initial status, 32 unknown (not used). + + + + + + + + + + + text/plain + + + + + ErrorCode + + + + + HRESULT of the last installation returned code. + + + + + + + + + + + text/plain + + + + + PrinterSharedName + + + + + + + + Identifies the Universal Print printer, by its Share Name, you wish to install on the targeted user account. The printer's Share Name can be found in the printer's properties via the Universal Print portal. Note: the targeted user account must have access rights to both the printer and to the Universal Print service. + + + + + + + + + + + text/plain + + + + + + + +``` diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index c728cdb027..9df19dd70b 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -14,6 +14,17 @@ ms.date: 02/23/2018 # Update CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] @@ -62,7 +73,7 @@ The following example shows the Update configuration service provider in tree fo > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

    The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this presentation is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. +

    The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.

    The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 07dbd492dc..ce1fdf95ec 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -14,13 +14,23 @@ ms.date: 09/21/2021 # VPNv2 CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device. Here are the requirements for this CSP: - VPN configuration commands must be wrapped in an Atomic block in SyncML. -- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. +- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure Windows Information Protection policies. - Instead of changing individual properties, follow these steps to make any changes: - Send a Delete command for the ProfileName to delete the entire profile. @@ -531,9 +541,9 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/EdpModeId** -Enterprise ID, which is required for connecting this VPN profile with a WIP policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. +Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. -Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. +Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect. Value type is chr. Supported operations include Get, Add, Replace, and Delete. @@ -550,7 +560,7 @@ An optional flag to enable Always On mode. This flag will automatically connect Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference. Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config` Value: AutoTriggerDisabledProfilesList @@ -696,7 +706,7 @@ Supported operations include Get, Add, Replace, and Delete. Reserved for future use. **VPNv2/**ProfileName**/NativeProfile** -Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). +Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP). **VPNv2/**ProfileName**/NativeProfile/Servers** Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index d318a8734b..dcf303c5fa 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -442,3 +442,7 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: ``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index fca8b3674b..13f6f62afe 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # w4 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS). @@ -47,7 +57,7 @@ This parameter takes a string value. The possible values to configure the NAME p - no value specified > [!NOTE] -> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. +> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. If no value is specified, the registry location will default to ``. diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 139c2e3cfd..7842c67b66 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -14,11 +14,21 @@ ms.date: 06/26/2017 # w7 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning. -> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. - +> [!Note] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. The following shows the configuration service provider in tree format as used by OMA Client Provisioning. @@ -51,11 +61,10 @@ APPLICATION ---SSLCLIENTCERTSEARCHCRITERIA ``` -> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. +> [!Note] +> All parameter names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. -  - **APPADDR** This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address. @@ -99,9 +108,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o Valid values: -- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type. +- BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type. -- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type. +- DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type. - When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST. @@ -111,9 +120,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe **BACKCOMPATRETRYDISABLED** Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time). -> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. - -  +> [!Note] +> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. **CONNRETRYFREQ** Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter. @@ -130,11 +138,10 @@ The valid values are: **INIT** Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present. -> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. +> [!Note] +> This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready. -   - **INITIALBACKOFFTIME** Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter. @@ -180,9 +187,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. -> **Note**   %EF%80%80 is the UTF8-encoded character U+F000. - -  +> [!Note] +> `%EF%80%80` is the UTF8-encoded character U+F000. Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax: @@ -193,15 +199,4 @@ Subject specifies the certificate to search for. For example, to specify that yo ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index e10daf5564..adf03f1929 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index bc34d7b38d..12dfff8ecc 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index b3a8915e7f..ea3289d926 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| @@ -160,7 +161,7 @@ Value type is bool. Supported operation is Get. **UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled** -A boolean value representing whether the MSA service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. +A boolean value representing whether the Microsoft account service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs. Value type is bool. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index c9940fce4d..134770f710 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 1f1f11f0bd..7482fcb352 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 02/07/2022 +ms.date: 05/09/2022 --- # WindowsAutopilot CSP @@ -20,22 +20,26 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|Yes| +|Windows SE|No|Yes| |Business|No|Yes| |Enterprise|No|Yes| |Education|No|Yes| > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. The WindowsAutopilot CSP exposes Windows Autopilot related device information. The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. **./Vendor/MSFT/WindowsAutopilot** -Root node. Supported operation is Get. +Root node for the WindowsAutopilot configuration service provider. +Supported operation is Get. **HardwareMismatchRemediationData** -Interior node. Supported operation is Get. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot. +Interior node for the HardwareMismatchRemediationData configuration service provider. Collects hardware information about a device and returns it as an encoded string. This string is used as input for calling Windows Autopilot Service to remediate a device if the device underwent a hardware change that affects its ability to use Windows Autopilot. + +Supported operation is Get. ## Related topics diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 10551772c3..6a9c6a3055 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|No|No| +|Windows SE|No|No| |Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index bf35fddf2f..756039926b 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -20,6 +20,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|Yes|Yes| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index f3ba7e9ad2..ff85447bbd 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -19,6 +19,7 @@ The table below shows the applicability of Windows: |--- |--- |--- | |Home|No|No| |Pro|Yes|Yes| +|Windows SE|No|Yes| |Business|Yes|Yes| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 120ac4d165..3a36e33d5a 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -1,30 +1,31 @@ --- title: Use Quick Assist to help users -description: How IT Pros can use Quick Assist to help users +description: How IT Pros can use Quick Assist to help users. ms.prod: w10 -ms.sitesec: library -ms.topic: article -author: aczechowski +ms.technology: windows +ms.topic: how-to ms.localizationpriority: medium +author: aczechowski ms.author: aaroncz manager: dougeby +ms.reviewer: pmadrigal ms.collection: highpri --- # Use Quick Assist to help users -Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. +Quick Assist is a Microsoft Store application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user's device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices. ## Before you begin -All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. +All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. > [!NOTE] > In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. ### Authentication -The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. +The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. ### Network considerations @@ -32,18 +33,20 @@ Quick Assist communicates over port 443 (https) and connects to the Remote Assis Both the helper and sharer must be able to reach these endpoints over port 443: -| Domain/Name | Description | -|-----------------------------------|-------------------------------------------------------| -| \*.support.services.microsoft.com | Primary endpoint used for Quick Assist application | -| \*.resources.lync.com | Required for the Skype framework used by Quick Assist | -| \*.infra.lync.com | Required for the Skype framework used by Quick Assist | -| \*.latest-swx.cdn.skype.com | Required for the Skype framework used by Quick Assist | -| \*.login.microsoftonline.com | Required for logging in to the application (MSA) | -| \*.channelwebsdks.azureedge.net | Used for chat services within Quick Assist | -| \*.aria.microsoft.com | Used for accessibility features within the app | -| \*.api.support.microsoft.com | API access for Quick Assist | -| \*.vortex.data.microsoft.com | Used for diagnostic data | -| \*.channelservices.microsoft.com | Required for chat services within Quick Assist | +| Domain/Name | Description | +|--|--| +| `*.support.services.microsoft.com` | Primary endpoint used for Quick Assist application | +| `*.login.microsoftonline.com` | Required for logging in to the application (Microsoft account) | +| `*.channelwebsdks.azureedge.net` | Used for chat services within Quick Assist | +| `*.aria.microsoft.com` | Used for accessibility features within the app | +| `*.api.support.microsoft.com` | API access for Quick Assist | +| `*.vortex.data.microsoft.com` | Used for diagnostic data | +| `*.channelservices.microsoft.com` | Required for chat services within Quick Assist | +| `*.remoteassistanceprodacs.communication.azure.com` | Azure Communication Services (ACS) technology the Quick Assist app uses. | +| `*.turn.azure.com` | Protocol used to help endpoint. | +| `browser.pipe.aria.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `browser.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | +| `ic3.events.data.microsoft.com` | Required diagnostic data for client and services used by Quick Assist. | ## How it works @@ -73,9 +76,9 @@ Microsoft logs a small amount of session data to monitor the health of the Quick - Features used inside the app such as view only, annotation, and session pause -No logs are created on either the helper’s or sharer’s device. Microsoft cannot access a session or view any actions or keystrokes that occur in the session. +No logs are created on either the helper's or sharer's device. Microsoft can't access a session or view any actions or keystrokes that occur in the session. -The sharer sees only an abbreviated version of the helper’s name (first name, last initial) and no other information about them. Microsoft does not store any data about either the sharer or the helper for longer than three days. +The sharer sees only an abbreviated version of the helper's name (first name, last initial) and no other information about them. Microsoft doesn't store any data about either the sharer or the helper for longer than three days. In some scenarios, the helper does require the sharer to respond to application permission prompts (User Account Control), but otherwise the helper has the same permissions as the sharer on the device. @@ -83,8 +86,7 @@ In some scenarios, the helper does require the sharer to respond to application Either the support staff or a user can start a Quick Assist session. - -1. Support staff (“helper”) starts Quick Assist in any of a few ways: +1. Support staff ("helper") starts Quick Assist in any of a few ways: - Type *Quick Assist* in the search box and press ENTER. - From the Start menu, select **Windows Accessories**, and then select **Quick Assist**. @@ -94,32 +96,16 @@ Either the support staff or a user can start a Quick Assist session. 3. Helper shares the security code with the user over the phone or with a messaging system. -4. Quick Assist opens on the sharer’s device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. +4. Quick Assist opens on the sharer's device. The user enters the provided code in the **Code from assistant** box, and then selects **Share screen**. -5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After choosing, the helper selects **Continue**. +5. The helper receives a dialog offering the opportunity to take full control of the device or just view its screen. After they choose an option, the helper selects **Continue**. 6. The sharer receives a dialog asking for permission to show their screen or allow access. The sharer gives permission by selecting the **Allow** button. ## If Quick Assist is missing -If for some reason a user doesn't have Quick Assist on their system or it's not working properly, they might need to uninstall and reinstall it. - -### Uninstall Quick Assist - -1. Start the Settings app, and then select **Apps**. -2. Select **Optional features**. -3. In the **Installed features** search bar, type *Quick Assist*. -4. Select **Microsoft Quick Assist**, and then select **Uninstall**. - -### Reinstall Quick Assist - -1. Start the Settings app, and then select **Apps**. -2. Select **Optional features**. -3. Select **Add a feature**. -4. In the new dialog that opens, in the **Add an optional feature** search bar, type *Quick Assist*. -5. Select the check box for **Microsoft Quick Assist**, and then select **Install**. -6. Restart the device. +If for some reason a user doesn't have Quick Assist on their system or it's not working properly, try to uninstall and reinstall it. For more information, see [Install Quick Assist](https://support.microsoft.com/windows/install-quick-assist-c17479b7-a49d-4d12-938c-dbfb97c88bca). ## Next steps -If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://www.microsoft.com/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0&rtc=1#activetab=pivot:overviewtab). +If you have any problems, questions, or suggestions for Quick Assist, contact us by using the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332). diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 52a2fb766d..da6a705ba5 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -15,7 +15,7 @@ ms.topic: troubleshooting # What version of Windows am I running? -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. +To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (GA Channel) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 756137de7c..aa66136bfb 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -1,13 +1,9 @@ --- title: Changes to Group Policy settings for Windows 10 Start menu (Windows 10) description: Learn about changes to Group Policy settings for the Windows 10 Start menu. Also, learn about the new Windows 10 Start experience. -ms.assetid: 612FB68A-3832-451F-AA97-E73791FEAA9F ms.reviewer: manager: dougeby -keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 500f5c624f..bf089eb4ba 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,10 +1,7 @@ --- title: Configure Windows 10 taskbar (Windows 10) description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. -keywords: ["taskbar layout","pin apps"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article @@ -14,6 +11,7 @@ ms.reviewer: manager: dougeby ms.collection: highpri --- + # Configure Windows 10 taskbar Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index 805a227811..e82f329a86 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -2,8 +2,6 @@ title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index 6d940ecc14..a342f659be 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -2,8 +2,6 @@ title: Send feedback about Cortana at work back to Microsoft description: Learn how to send feedback to Microsoft about Cortana at work so you can provide more information to help diagnose reported issues.. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index d949c55ed5..633b1edf0b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,8 +2,6 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz @@ -29,7 +27,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use Windows Information Protection, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 2b72551c54..88b9b1e042 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md index 2eb0ba6a03..97966260a0 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md @@ -2,8 +2,6 @@ title: Configure Cortana with Group Policy and MDM settings (Windows) description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md index a54d958f6e..fd81d85f3a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md @@ -2,8 +2,6 @@ title: Set up and test Cortana for Power BI in your organization (Windows) description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md index de0f3315ae..f19d6c310d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md @@ -2,8 +2,6 @@ title: Sign into Azure AD, enable the wake word, and try a voice query description: A test scenario walking you through signing in and managing the notebook. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index b9c64414bc..4c019223d3 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -2,8 +2,6 @@ title: Perform a quick search with Cortana at work (Windows) description: This is a test scenario about how to perform a quick search with Cortana at work. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md index 68ba398dbf..f6d46feb8f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md @@ -2,8 +2,6 @@ title: Set a reminder for a location with Cortana at work (Windows) description: A test scenario about how to set a location-based reminder using Cortana at work. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 6c6a391833..6a45297397 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -2,8 +2,6 @@ title: Use Cortana at work to find your upcoming meetings (Windows) description: A test scenario on how to use Cortana at work to find your upcoming meetings. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md index 63f5f07436..5085f7608d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md @@ -2,8 +2,6 @@ title: Use Cortana to send email to a co-worker (Windows) description: A test scenario about how to use Cortana at work to send email to a co-worker. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index c4647b52d8..b05c1179dc 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -2,8 +2,6 @@ title: Review a reminder suggested by Cortana (Windows) description: A test scenario on how to use Cortana with the Suggested reminders feature. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index 6a7ab71a9a..ed2e51d53c 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -2,8 +2,6 @@ title: Help protect data with Cortana and WIP (Windows) description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP). ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md index cf0cd10b10..55023907da 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md @@ -2,8 +2,6 @@ title: Cortana at work testing scenarios description: Suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index 10a3e5644b..fb38e50ec2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -2,8 +2,6 @@ title: Set up and test custom voice commands in Cortana for your organization (Windows) description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index b922d049e4..5af920f5f7 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-1.md b/windows/configuration/cortana-at-work/test-scenario-1.md index 729352fb95..d11ddd9fbf 100644 --- a/windows/configuration/cortana-at-work/test-scenario-1.md +++ b/windows/configuration/cortana-at-work/test-scenario-1.md @@ -2,8 +2,6 @@ title: Test scenario 1 – Sign in with your work or school account and use Cortana to manage the notebook description: A test scenario about how to sign in with your work or school account and use Cortana to manage the notebook. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-2.md b/windows/configuration/cortana-at-work/test-scenario-2.md index 86c279c752..f9128ac53e 100644 --- a/windows/configuration/cortana-at-work/test-scenario-2.md +++ b/windows/configuration/cortana-at-work/test-scenario-2.md @@ -2,8 +2,6 @@ title: Test scenario 2 - Perform a quick search with Cortana at work description: A test scenario about how to perform a quick search with Cortana at work. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-3.md b/windows/configuration/cortana-at-work/test-scenario-3.md index f1706c3579..0bef2a7ad9 100644 --- a/windows/configuration/cortana-at-work/test-scenario-3.md +++ b/windows/configuration/cortana-at-work/test-scenario-3.md @@ -2,8 +2,6 @@ title: Test scenario 3 - Set a reminder for a specific location using Cortana at work description: A test scenario about how to set up, review, and edit a reminder based on a location. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md index 635172f826..45d2df199c 100644 --- a/windows/configuration/cortana-at-work/test-scenario-4.md +++ b/windows/configuration/cortana-at-work/test-scenario-4.md @@ -2,8 +2,6 @@ title: Use Cortana to find your upcoming meetings at work (Windows) description: A test scenario about how to use Cortana at work to find your upcoming meetings. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md index 7770f46dfd..4a890aca59 100644 --- a/windows/configuration/cortana-at-work/test-scenario-5.md +++ b/windows/configuration/cortana-at-work/test-scenario-5.md @@ -2,8 +2,6 @@ title: Use Cortana to send an email to co-worker (Windows) description: A test scenario on how to use Cortana at work to send email to a co-worker. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index e9b09188c2..eea07d4bbe 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -2,8 +2,6 @@ title: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email description: A test scenario about how to use Cortana with the Suggested reminders feature. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md index 57153a781a..b62794ff0f 100644 --- a/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md +++ b/windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md @@ -2,8 +2,6 @@ title: Testing scenarios using Cortana in your business or organization description: A list of suggested testing scenarios that you can use to test Cortana in your organization. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index c979753ccb..5f13879817 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -1,13 +1,9 @@ --- title: Customize and export Start layout (Windows 10) description: The easiest method for creating a customized Start layout is to set up the Start screen and export the layout. -ms.assetid: CA8DF327-5DD4-452F-9FE5-F17C514B6236 ms.reviewer: manager: dougeby -keywords: ["start screen"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md index f21e9bf9dc..069e047309 100644 --- a/windows/configuration/customize-start-menu-layout-windows-11.md +++ b/windows/configuration/customize-start-menu-layout-windows-11.md @@ -1,14 +1,10 @@ --- title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices. -ms.assetid: manager: dougeby ms.author: aaroncz ms.reviewer: ericpapa ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile author: aczechowski ms.localizationpriority: medium ms.collection: highpri diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md index 8679cc641f..51335436d5 100644 --- a/windows/configuration/customize-taskbar-windows-11.md +++ b/windows/configuration/customize-taskbar-windows-11.md @@ -1,14 +1,10 @@ --- title: Configure and customize Windows 11 taskbar | Microsoft Docs description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded. -ms.assetid: manager: dougeby ms.author: aaroncz ms.reviewer: chataylo ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile author: aczechowski ms.localizationpriority: medium ms.collection: highpri diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 434d699db3..15c1cc2cad 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -1,13 +1,9 @@ --- title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10) description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain. -ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545 ms.reviewer: manager: dougeby -keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index a06b4c2919..fb50dc5a39 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,13 +1,9 @@ --- title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. -ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: manager: dougeby -keywords: ["start screen", "start menu"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.topic: article ms.author: aaroncz diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 110d43b999..0a2038ce7d 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -1,13 +1,9 @@ --- title: Customize Windows 10 Start and taskbar with provisioning packages (Windows 10) description: In Windows 10, you can use a provisioning package to deploy a customized Start layout to users. -ms.assetid: AC952899-86A0-42FC-9E3C-C25F45B1ACAC ms.reviewer: manager: dougeby -keywords: ["Start layout", "start menu"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 7ec5869bf1..ce8ad34838 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,10 +1,7 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. -keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/images/choose-package.png b/windows/configuration/images/choose-package.png deleted file mode 100644 index 2bf7a18648..0000000000 Binary files a/windows/configuration/images/choose-package.png and /dev/null differ diff --git a/windows/configuration/images/oobe.jpg b/windows/configuration/images/oobe.jpg deleted file mode 100644 index 2e700971c1..0000000000 Binary files a/windows/configuration/images/oobe.jpg and /dev/null differ diff --git a/windows/configuration/images/oobe.png b/windows/configuration/images/oobe.png new file mode 100644 index 0000000000..331797c251 Binary files /dev/null and b/windows/configuration/images/oobe.png differ diff --git a/windows/configuration/images/package.png b/windows/configuration/images/package.png deleted file mode 100644 index e10cf84f51..0000000000 Binary files a/windows/configuration/images/package.png and /dev/null differ diff --git a/windows/configuration/images/prov.jpg b/windows/configuration/images/prov.jpg deleted file mode 100644 index 1593ccb36b..0000000000 Binary files a/windows/configuration/images/prov.jpg and /dev/null differ diff --git a/windows/configuration/images/provisioning-oobe-choice.png b/windows/configuration/images/provisioning-oobe-choice.png new file mode 100644 index 0000000000..503fa8f17b Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-choice.png differ diff --git a/windows/configuration/images/provisioning-oobe-choose-package.png b/windows/configuration/images/provisioning-oobe-choose-package.png new file mode 100644 index 0000000000..68b23dae54 Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-choose-package.png differ diff --git a/windows/configuration/images/provisioning-oobe-installing.png b/windows/configuration/images/provisioning-oobe-installing.png new file mode 100644 index 0000000000..4b05a90946 Binary files /dev/null and b/windows/configuration/images/provisioning-oobe-installing.png differ diff --git a/windows/configuration/images/provisioning-runtime-UAC.png b/windows/configuration/images/provisioning-runtime-UAC.png new file mode 100644 index 0000000000..5e00691b05 Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-UAC.png differ diff --git a/windows/configuration/images/provisioning-runtime-add-package.png b/windows/configuration/images/provisioning-runtime-add-package.png new file mode 100644 index 0000000000..542c73fe6e Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-add-package.png differ diff --git a/windows/configuration/images/provisioning-runtime-choose-package.png b/windows/configuration/images/provisioning-runtime-choose-package.png new file mode 100644 index 0000000000..00a8f198a3 Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-choose-package.png differ diff --git a/windows/configuration/images/provisioning-runtime-click-to-install.png b/windows/configuration/images/provisioning-runtime-click-to-install.png new file mode 100644 index 0000000000..5e06f26654 Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-click-to-install.png differ diff --git a/windows/configuration/images/provisioning-runtime-manage-packages.png b/windows/configuration/images/provisioning-runtime-manage-packages.png new file mode 100644 index 0000000000..657e69b945 Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-manage-packages.png differ diff --git a/windows/configuration/images/provisioning-runtime-trust.png b/windows/configuration/images/provisioning-runtime-trust.png new file mode 100644 index 0000000000..50cb98ff3b Binary files /dev/null and b/windows/configuration/images/provisioning-runtime-trust.png differ diff --git a/windows/configuration/images/setupmsg.jpg b/windows/configuration/images/setupmsg.jpg deleted file mode 100644 index 06348dd2b8..0000000000 Binary files a/windows/configuration/images/setupmsg.jpg and /dev/null differ diff --git a/windows/configuration/images/trust-package.png b/windows/configuration/images/trust-package.png deleted file mode 100644 index 8a293ea4da..0000000000 Binary files a/windows/configuration/images/trust-package.png and /dev/null differ diff --git a/windows/configuration/includes/multi-app-kiosk-support-windows11.md b/windows/configuration/includes/multi-app-kiosk-support-windows11.md index e3b0982b66..efe346ced6 100644 --- a/windows/configuration/includes/multi-app-kiosk-support-windows11.md +++ b/windows/configuration/includes/multi-app-kiosk-support-windows11.md @@ -3,7 +3,6 @@ author: aczechowski ms.author: aaroncz ms.date: 09/21/2021 ms.reviewer: -audience: itpro manager: dougeby ms.prod: w10 ms.topic: include diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index cd38222026..fda7a6c1da 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -1,14 +1,10 @@ --- title: More kiosk methods and reference information (Windows 10/11) description: Find more information for configuring, validating, and troubleshooting kiosk configuration. -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: reference diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index 7c0a77b39e..509e5e3983 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -1,14 +1,10 @@ --- title: Use MDM Bridge WMI Provider to create a Windows 10/11 kiosk (Windows 10/11) description: Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index ea9c57c785..c444568fe9 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -5,9 +5,6 @@ manager: dougeby ms.author: aaroncz description: In this article, learn about the methods for configuring kiosks and digital signs on Windows 10 or Windows 11 desktop editions. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: aczechowski ms.topic: article diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 6524e3e543..219db257fb 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -1,14 +1,9 @@ --- title: Policies enforced on kiosk devices (Windows 10/11) description: Learn about the policies enforced on a device when you configure it as a kiosk. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: sybruckm manager: dougeby -keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 45dec9443a..2712131087 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -1,14 +1,10 @@ --- title: Prepare a device for kiosk configuration on Windows 10/11 | Microsoft Docs description: Learn how to prepare a device for kiosk configuration. Also, learn about the recommended kiosk configuration changes. -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 3cd7d04a31..075be3e488 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -1,14 +1,10 @@ --- title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11) description: Shell Launcher lets you change the default shell that launches when a user signs in to a device. -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index 179c44499b..7c13c2715e 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -1,14 +1,10 @@ --- title: Set up a single-app kiosk on Windows 10/11 description: A single-use device is easy to set up in Windows 10 and Windows 11 for desktop editions (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md index cb60660c38..091872a845 100644 --- a/windows/configuration/kiosk-troubleshoot.md +++ b/windows/configuration/kiosk-troubleshoot.md @@ -1,14 +1,9 @@ --- title: Troubleshoot kiosk mode issues (Windows 10/11) description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: sybruckm manager: dougeby -keywords: ["lockdown", "app restrictions"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md index 934dd1ed77..dfc4d3e91d 100644 --- a/windows/configuration/kiosk-validate.md +++ b/windows/configuration/kiosk-validate.md @@ -1,14 +1,10 @@ --- title: Validate kiosk configuration (Windows 10/11) description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education. -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index f6ddb6a2d4..a5f84dcc40 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -1,14 +1,9 @@ --- title: Assigned Access configuration kiosk XML reference (Windows 10/11) description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: sybruckm manager: dougeby -keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md index 4fcd915dd1..4552e63e33 100644 --- a/windows/configuration/lock-down-windows-10-applocker.md +++ b/windows/configuration/lock-down-windows-10-applocker.md @@ -1,14 +1,9 @@ --- title: Use AppLocker to create a Windows 10 kiosk that runs multiple apps (Windows 10) description: Learn how to use AppLocker to configure a kiosk device running Windows 10 Enterprise or Windows 10 Education so that users can only run a few specific apps. -ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8 ms.reviewer: sybruckm manager: dougeby -keywords: ["lockdown", "app restrictions", "applocker"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: edu, security author: aczechowski ms.localizationpriority: medium ms.date: 07/30/2018 diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index ef2974bbc5..fcc521e9df 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -404,7 +404,7 @@ Group accounts are specified using ``. Nested groups aren't supported ``` -- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in. ```xml @@ -544,43 +544,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L ### Apply provisioning package to device -Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). - ->[!TIP] ->In addition to the methods below, you can use the PowerShell comdlet [install-provisioningpackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. - -#### During initial setup, from a USB drive - -1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - - ![The first screen to set up a new PC.](images/oobe.jpg) - -2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. - - ![Set up device?](images/setupmsg.jpg) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device.](images/prov.jpg) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. - - ![Choose a package.](images/choose-package.png) - -5. Select **Yes, add it**. - - ![Do you trust this package?](images/trust-package.png) - -#### After setup, from a USB drive, network folder, or SharePoint site - -1. Sign in with an admin account. -2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. +Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md). > [!NOTE] > If your provisioning package doesn't include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. -![Add a package option.](images/package.png) - ### Use MDM to deploy the multi-app configuration Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index 36bf667cc7..caeb98056f 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -1,14 +1,9 @@ --- title: Lockdown features from Windows Embedded 8.1 Industry (Windows 10) description: Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. -ms.assetid: 3C006B00-535C-4BA4-9421-B8F952D47A14 ms.reviewer: manager: dougeby -keywords: lockdown, embedded ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 2dcf1d588b..6eb41bde06 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -1,11 +1,7 @@ --- title: Manage Windows 10 and Microsoft Store tips, fun facts, and suggestions (Windows 10) description: Windows 10 provides organizations with various options to manage user experiences to provide a consistent and predictable experience for employees. -keywords: ["device management"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: devices author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md index 8149182469..1bd58d5c1e 100644 --- a/windows/configuration/manage-wifi-sense-in-enterprise.md +++ b/windows/configuration/manage-wifi-sense-in-enterprise.md @@ -1,15 +1,10 @@ --- title: Manage Wi-Fi Sense in your company (Windows 10) description: Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. -ms.assetid: 1845e00d-c4ee-4a8f-a5e5-d00f2735a271 ms.reviewer: manager: dougeby ms.author: aaroncz -keywords: ["WiFi Sense", "automatically connect to wi-fi", "wi-fi hotspot connection"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: mobile author: aczechowski ms.localizationpriority: medium ms.topic: article diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md index ffe4a55f6d..a168bce8f6 100644 --- a/windows/configuration/provisioning-apn.md +++ b/windows/configuration/provisioning-apn.md @@ -1,12 +1,9 @@ --- title: Configure cellular settings for tablets and PCs (Windows 10) description: Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC ms.reviewer: manager: dougeby ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 9147bc6b90..3e0279e5e5 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -1,12 +1,9 @@ --- title: Configuration service providers for IT pros (Windows 10/11) description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices. -ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 ms.reviewer: gkomatsu manager: dougeby ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index 1305b2bb87..cec5065059 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -1,13 +1,9 @@ --- title: Provision PCs with common settings (Windows 10/11) description: Create a provisioning package to apply common settings to a PC running Windows 10. -ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E ms.reviewer: gkomatsu manager: dougeby -keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index faad3522bb..9d403656ad 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -1,10 +1,7 @@ --- title: Provision PCs with apps and certificates (Windows 10) description: Create a provisioning package to apply settings to a PC running Windows 10. -keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index f1b8691117..86ba895398 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -1,10 +1,7 @@ --- title: Provision PCs with apps (Windows 10/11) description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. -keywords: ["runtime provisioning", "provisioning package"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index 230570bfa8..97a1f3bd50 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -1,9 +1,7 @@ --- title: Apply a provisioning package (Windows 10/11) -description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime"). +description: Provisioning packages can be applied to a device during initial setup (OOBE) and after ("runtime"). ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article @@ -20,40 +18,82 @@ manager: dougeby - Windows 10 - Windows 11 -Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime"). +Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). ->[!NOTE] +> [!NOTE] > > - Applying a provisioning package to a desktop device requires administrator privileges on the device. > - You can interrupt a long-running provisioning process by pressing ESC. -## During initial setup, from a USB drive +> [!TIP] +> In addition to the following methods, you can use the PowerShell cmdlet [Install-ProvisioningPackage](/powershell/module/provisioning/Install-ProvisioningPackage) with `-LogsDirectoryPath` to get logs for the operation. -1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. +## During initial setup - ![The first screen to set up a new PC.](../images/oobe.jpg) +To apply a provisioning package from a USB drive during initial setup: -2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**. +1. Start with a device on the initial setup screen. If the device has gone past this screen, reset the device to start over. To reset, go to **Settings** > **System** > [**Recovery**](ms-settings:recovery) > **Reset this PC**. - ![Set up device?](../images/setupmsg.jpg) + :::image type="content" source="../images/oobe.png" alt-text="The first screen when setting up a new PC."::: -3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**. +2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. - ![Provision this device.](../images/prov.jpg) + - If there is only one provisioning package on the USB drive, the provisioning package is applied. See step 5. + - If there is more than one provisioning package on the USB drive, Windows setup will recognize the drive and ask how you want to provision the device. Select **Install provisioning package** and select **Next**. -4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**. + :::image type="content" source="../images/provisioning-oobe-choice.png" alt-text="What would you like to do?"::: - ![Choose a package.](../images/choose-package.png) +3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Yes**. -5. Select **Yes, add it**. + :::image type="content" source="../images/provisioning-oobe-choose-package.png" alt-text="Choose a package."::: - ![Do you trust this package?](../images/trust-package.png) +4. The selected provisioning package will install and apply to the device. -## After setup, from a USB drive, network folder, or SharePoint site + :::image type="content" source="../images/provisioning-oobe-installing.png" alt-text="Setting up your PC."::: -Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation. +5. Wait for the device to load and begin applying the provisioning package. Once you see "You can remove your removable media now!" you can remove your USB drive. Windows will continue provisioning the device. -![add a package option.](../images/package.png) +## After initial setup + +Provisioning packages can be applied after initial setup through Windows settings or by simply double-clicking a provisioning package. + +### Windows Settings + +1. Insert the USB drive, then navigate to **Settings** > **Accounts** > [**Access work or school**](ms-settings:workplace) > **Add or remove a provisioning package** > **Add a package**. + + :::image type="content" source="../images/provisioning-runtime-manage-packages.png" alt-text="Add or remove a provisioning package."::: + +2. Choose the method you want to use, such as **Removable Media**. + + :::image type="content" source="../images/provisioning-runtime-choose-package.png" alt-text="Choose a method."::: + +3. Select the provisioning package (`.ppkg`) that you want to apply, and select **Add**. + + :::image type="content" source="../images/provisioning-runtime-add-package.png" alt-text="Select and add a package."::: + +4. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. + + :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: + +5. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. + + :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: + +### Apply Directly + +To apply a provisioning package directly, such as from a USB drive, folder, network, or SharePoint site: + +1. Navigate to the provisioning package and double-click it to begin the installation. + + :::image type="content" source="../images/provisioning-runtime-click-to-install.png" alt-text="Double-click package to being installation."::: + +2. Provisioning packages require administrator privileges as they can modify system policies and run scripts at the system level. Ensure you trust the package you are installing before accepting the UAC prompt. Select **Yes**. + + :::image type="content" source="../images/provisioning-runtime-UAC.png" alt-text="Do you want to allow changes to your device?"::: + +3. The provisioning runtime will ask if the package is from a source you trust. Verify that you are applying the correct package and that it is trusted. Select **Yes, add it**. + + :::image type="content" source="../images/provisioning-runtime-trust.png" alt-text="Do you trust this package?"::: ## Related articles diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 95e51c1316..fbe7aecde9 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -2,8 +2,6 @@ title: Windows Configuration Designer command-line interface (Windows 10/11) description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index f926e57f98..2852698705 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -2,8 +2,6 @@ title: Create a provisioning package (Windows 10/11) description: Learn how to create a provisioning package for Windows 10/11, which lets you quickly configure a device without having to install a new image. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index cc1fff48d3..737cb64b16 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -2,8 +2,6 @@ title: How provisioning works in Windows 10/11 description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index 1df2136104..59419bb6b2 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -2,8 +2,6 @@ title: Install Windows Configuration Designer (Windows 10/11) description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 0987e3f720..65b4475739 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -2,8 +2,6 @@ title: Create a provisioning package with multivariant settings (Windows 10/11) description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index da386db801..b762a1d124 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -1,12 +1,9 @@ --- title: Provisioning packages overview on Windows 10/11 description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do. -ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC ms.reviewer: gkomatsu manager: dougeby ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 3b6e0300dc..0698178c23 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -2,8 +2,6 @@ title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11) description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 0f1b11b953..e768666071 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -2,8 +2,6 @@ title: Use a script to install a desktop app in provisioning packages (Windows 10/11) description: With Windows 10/11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index 1a6f2d6af3..04665c5f6e 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -2,8 +2,6 @@ title: Uninstall a provisioning package - reverted settings (Windows 10/11) description: This article lists the settings that are reverted when you uninstall a provisioning package on Windows 10/11 desktop client devices. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 92a57a02af..a9bfdbcfdf 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -1,10 +1,7 @@ --- title: Set up a shared or guest PC with Windows 10/11 description: Windows 10 and Windows has shared PC mode, which optimizes Windows client for shared use scenarios. -keywords: ["shared pc mode"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article @@ -65,7 +62,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re |:---|:---| | EnableSharedPCMode | Set as **True**. If this is not set to **True**, shared PC mode is not turned on and none of the other settings apply. This setting controls this API: [IsEnabled](/uwp/api/windows.system.profile.sharedmodesettings)

    Some of the remaining settings in **SharedPC** are optional, but we strongly recommend that you also set `EnableAccountManager` to **True**. | | AccountManagement: AccountModel | This option controls how users can sign-in on the PC. Choosing domain-joined will enable any user in the domain to sign-in.

    Specifying the guest option will add the **Guest** option to the sign-in screen and enable anonymous guest access to the PC.

    - **Only guest** allows anyone to use the PC as a local standard (non-admin) account.
    - **Domain-joined only** allows users to sign in with an Active Directory or Azure AD account.
    - **Domain-joined and guest** allows users to sign in with an Active Directory, Azure AD, or local standard account. | -| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.

    - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

    Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
    - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | +| AccountManagement: DeletionPolicy | - **Delete immediately** will delete the account on sign-out.

    - **Delete at disk space threshold** will start deleting accounts when available disk space falls below the threshold you set for **DiskLevelDeletion**, and it will stop deleting accounts when the available disk space reaches the threshold you set for **DiskLevelCaching**. Accounts are deleted in order of oldest accessed to most recently accessed.

    Example: The caching number is 50 and the deletion number is 25. Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) at a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign-off of an account if free space is under the deletion threshold and disk space is very low, regardless if the PC is actively in use or not.
    - **Delete at disk space threshold and inactive threshold** will apply the same disk space checks as noted above, but also delete accounts if they have not signed in within the number of days specified by **InactiveThreshold** | | AccountManagement: DiskLevelCaching | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account caching. | | AccountManagement: DiskLevelDeletion | If you set **DeletionPolicy** to **Delete at disk space threshold**, set the percent of total disk space to be used as the disk space threshold for account deletion. | | AccountManagement: InactiveThreshold | If you set **DeletionPolicy** to **Delete at disk space threshold and inactive threshold**, set the number of days after which an account that has not signed in will be deleted. | @@ -85,7 +82,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re You can configure Windows to be in shared PC mode in a couple different ways: -- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps: +- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To set up a shared device policy for Windows client in Intune, complete the following steps: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). @@ -185,30 +182,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: ### Apply the provisioning package -You can apply the provisioning package to a PC during initial setup or to a PC that has already been set up. - -**During initial setup** - -1. Start with a PC on the setup screen. - - ![The first screen to set up a new PC.](images/oobe.jpg) - -2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times. - - - If there is only one provisioning package on the USB drive, the provisioning package is applied. - - - If there is more than one provisioning package on the USB drive, the **Set up device?** message displays. Click **Set up**, and select the provisioning package that you want to install. - - ![Set up device?](images/setupmsg.jpg) - -3. Complete the setup process. - - -**After setup** - -On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and selects the package to install. - -![add a package option.](images/package.png) +Provisioning packages can be applied to a device during initial setup (out-of-box experience or "OOBE") and after ("runtime"). For more information, see [Apply a provisioning package](./provisioning-packages/provisioning-apply-package.md). > [!NOTE] > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost. @@ -217,7 +191,7 @@ On a desktop computer, navigate to **Settings** > **Accounts** > **Work ac * We recommend no local admin accounts on the PC to improve the reliability and security of the PC. -* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out. +* When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign-out. * On a Windows PC joined to Azure Active Directory: * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC. * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal. diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index 921c556ecf..dff1da75a5 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -1,14 +1,10 @@ --- title: Set up digital signs on Windows 10/11 description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education). -ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC ms.reviewer: sybruckm manager: dougeby ms.author: aaroncz -keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.date: 09/20/2021 diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index 4b0658894b..793a35d714 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -2,8 +2,6 @@ title: Troubleshoot Start menu errors description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library ms.author: aaroncz author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index a0d7a0b65a..ffcdeef194 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -1,10 +1,7 @@ --- title: Start layout XML for desktop editions of Windows 10 (Windows 10) description: This article describes the options for customizing Start layout in LayoutModification.xml for Windows 10 desktop editions. -keywords: ["start screen"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 5699938be7..20c333fb2d 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -2,9 +2,6 @@ title: Add image for secondary Microsoft Edge tiles (Windows 10) description: Add app tiles on Windows 10 that's a secondary tile. ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: aczechowski ms.author: aaroncz diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 40fc295016..ed2728abc4 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -1,13 +1,9 @@ --- title: Configure access to Microsoft Store (Windows 10) description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization. -ms.assetid: 7AA60D3D-2A69-45E7-AAB0-B8AFC29C2E97 ms.reviewer: manager: dougeby ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: store, mobile author: aczechowski ms.author: aaroncz ms.topic: conceptual diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md index 30c40db968..30ef22ea5a 100644 --- a/windows/configuration/supported-csp-start-menu-layout-windows.md +++ b/windows/configuration/supported-csp-start-menu-layout-windows.md @@ -1,14 +1,10 @@ --- title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu. -ms.assetid: manager: dougeby ms.author: aaroncz ms.reviewer: ericpapa ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile author: aczechowski ms.localizationpriority: medium --- diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md index 0891f70e8c..40ada8b099 100644 --- a/windows/configuration/supported-csp-taskbar-windows.md +++ b/windows/configuration/supported-csp-taskbar-windows.md @@ -1,14 +1,10 @@ --- title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar. -ms.assetid: manager: dougeby ms.author: aaroncz ms.reviewer: chataylo ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile author: aczechowski ms.localizationpriority: medium --- diff --git a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md index 5c0961785e..4f970289fa 100644 --- a/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-administering-uev-with-windows-powershell-and-wmi.md @@ -2,9 +2,6 @@ title: Administering UE-V with Windows PowerShell and WMI description: Learn how User Experience Virtualization (UE-V) provides Windows PowerShell cmdlets to help administrators perform various UE-V tasks. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Administering UE-V with Windows PowerShell and WMI **Applies to** diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index f2456dee1a..7bf2b82260 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -2,9 +2,6 @@ title: Administering UE-V description: Learn how to perform administrative tasks for User Experience Virtualization (UE-V). These tasks include configuring the UE-V service and recovering lost settings. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Administering UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 50a4533c63..a3d3387c57 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -2,9 +2,6 @@ title: Application Template Schema Reference for UE-V description: Learn details about the XML structure of the UE-V settings location templates and learn how to edit these files. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Application Template Schema Reference for UE-V **Applies to** @@ -433,8 +429,8 @@ Application is a container for settings that apply to a particular application. |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| |FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| |Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".| @@ -452,8 +448,8 @@ Common is similar to an Application element, but it is always associated with tw |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to MSA, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| |FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).| diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 7b1980ded7..61ca2b8c88 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -2,9 +2,6 @@ title: Changing the Frequency of UE-V Scheduled Tasks description: Learn how to create a script that uses the Schtasks.exe command-line options so you can change the frequency of UE-V scheduled tasks. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Changing the Frequency of UE-V Scheduled Tasks **Applies to** diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md index 8aa4719d90..249336440f 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-group-policy-objects.md @@ -2,9 +2,6 @@ title: Configuring UE-V with Group Policy Objects description: In this article, learn how to configure User Experience Virtualization (UE-V) with Group Policy objects. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Configuring UE-V with Group Policy Objects **Applies to** diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index fa9dda05ab..b8e6955c3d 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -2,9 +2,6 @@ title: Configuring UE-V with Microsoft Endpoint Configuration Manager description: Learn how to configure User Experience Virtualization (UE-V) with Microsoft Endpoint Configuration Manager. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Configuring UE-V with Microsoft Endpoint Manager **Applies to** diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index 1b6513b56d..22cfb858c0 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -2,9 +2,6 @@ title: Deploy required UE-V features description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index 21f2749843..fad99aed73 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -2,9 +2,6 @@ title: Use UE-V with custom applications description: Use User Experience Virtualization (UE-V) to create your own custom settings location templates with the UE-V template generator. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 9074ddc234..75fab30ab1 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -2,9 +2,6 @@ title: User Experience Virtualization for Windows 10, version 1607 description: Overview of User Experience Virtualization for Windows 10, version 1607 author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 05/02/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 2bb02af5e6..39bbfe1418 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -2,9 +2,6 @@ title: Get Started with UE-V description: Use the steps in this article to deploy User Experience Virtualization (UE-V) for the first time in a test environment. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 03/08/2018 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 9ed8904dec..1aa6e9f43e 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -2,9 +2,6 @@ title: Manage Administrative Backup and Restore in UE-V description: Learn how an administrator of User Experience Virtualization (UE-V) can back up and restore application and Windows settings to their original state. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Manage Administrative Backup and Restore in UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-manage-configurations.md b/windows/configuration/ue-v/uev-manage-configurations.md index 4533fb9eb7..a8f2d63d6f 100644 --- a/windows/configuration/ue-v/uev-manage-configurations.md +++ b/windows/configuration/ue-v/uev-manage-configurations.md @@ -2,9 +2,6 @@ title: Manage Configurations for UE-V description: Learn to manage the configuration of the User Experience Virtualization (UE-V) service and also learn to manage storage locations for UE-V resources. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Manage Configurations for UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md index b36faf10c5..ba5bebadea 100644 --- a/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md @@ -2,9 +2,6 @@ title: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI description: Managing UE-V Settings Location Templates Using Windows PowerShell and WMI author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Managing UE-V Settings Location Templates Using Windows PowerShell and WMI **Applies to** diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index d111d768eb..ab70b3209a 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -2,9 +2,6 @@ title: Manage UE-V Service and Packages with Windows PowerShell and WMI description: Managing the UE-V service and packages with Windows PowerShell and WMI author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Managing the UE-V service and packages with Windows PowerShell and WMI **Applies to** diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index 026b5fd10f..eaa34a41eb 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -2,9 +2,6 @@ title: Migrating UE-V settings packages description: Learn to relocate User Experience Virtualization (UE-V) user settings packages either when you migrate to a new server or when you perform backups. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Migrating UE-V settings packages **Applies to** diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index b2b109d6b6..38b78b9d47 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -2,9 +2,6 @@ title: Prepare a UE-V Deployment description: Learn about the types of User Experience Virtualization (UE-V) deployment you can execute and what preparations you can make beforehand to be successful. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-release-notes-1607.md b/windows/configuration/ue-v/uev-release-notes-1607.md index fdc838991d..67badc0dbf 100644 --- a/windows/configuration/ue-v/uev-release-notes-1607.md +++ b/windows/configuration/ue-v/uev-release-notes-1607.md @@ -2,9 +2,6 @@ title: User Experience Virtualization (UE-V) Release Notes description: Read the latest information required to successfully install and use User Experience Virtualization (UE-V) that is not included in the UE-V documentation. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-security-considerations.md b/windows/configuration/ue-v/uev-security-considerations.md index d692ba9f46..b7dc73d2d0 100644 --- a/windows/configuration/ue-v/uev-security-considerations.md +++ b/windows/configuration/ue-v/uev-security-considerations.md @@ -2,9 +2,6 @@ title: Security Considerations for UE-V description: Learn about accounts and groups, log files, and other security-related considerations for User Experience Virtualization (UE-V). author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Security Considerations for UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-sync-methods.md b/windows/configuration/ue-v/uev-sync-methods.md index 6eea46080c..31ae2008ce 100644 --- a/windows/configuration/ue-v/uev-sync-methods.md +++ b/windows/configuration/ue-v/uev-sync-methods.md @@ -2,9 +2,6 @@ title: Sync Methods for UE-V description: Learn how User Experience Virtualization (UE-V) service sync methods let you synchronize users’ application and Windows settings with the settings storage location. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-sync-trigger-events.md b/windows/configuration/ue-v/uev-sync-trigger-events.md index 414b095f83..a396907df5 100644 --- a/windows/configuration/ue-v/uev-sync-trigger-events.md +++ b/windows/configuration/ue-v/uev-sync-trigger-events.md @@ -2,9 +2,6 @@ title: Sync Trigger Events for UE-V description: Learn how User Experience Virtualization (UE-V) lets you synchronize your application and Windows settings across all your domain-joined devices. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index ea4f3d49bd..c2a81519f1 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -2,9 +2,6 @@ title: Synchronizing Microsoft Office with UE-V description: Learn how User Experience Virtualization (UE-V) supports the synchronization of Microsoft Office application settings. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Synchronizing Office with UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-technical-reference.md b/windows/configuration/ue-v/uev-technical-reference.md index cac53df19c..f5a9059d3e 100644 --- a/windows/configuration/ue-v/uev-technical-reference.md +++ b/windows/configuration/ue-v/uev-technical-reference.md @@ -2,9 +2,6 @@ title: Technical Reference for UE-V description: Use this technical reference to learn about the various features of User Experience Virtualization (UE-V). author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Technical Reference for UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-troubleshooting.md b/windows/configuration/ue-v/uev-troubleshooting.md index a940df7833..3bf804b17d 100644 --- a/windows/configuration/ue-v/uev-troubleshooting.md +++ b/windows/configuration/ue-v/uev-troubleshooting.md @@ -2,9 +2,6 @@ title: Troubleshooting UE-V description: Use this technical reference to find resources for troubleshooting User Experience Virtualization (UE-V) for Windows 10. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: @@ -13,7 +10,6 @@ ms.author: aaroncz ms.topic: article --- - # Troubleshooting UE-V **Applies to** diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md index 7cae468ca9..226fe3c440 100644 --- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md +++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md @@ -2,9 +2,6 @@ title: Upgrade to UE-V for Windows 10 description: Use these few adjustments to upgrade from User Experience Virtualization (UE-V) 2.x to the latest version of UE-V. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index fb8d02a2a7..59e4e1d213 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -2,9 +2,6 @@ title: Using UE-V with Application Virtualization applications description: Learn how to use User Experience Virtualization (UE-V) with Microsoft Application Virtualization (App-V). author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md index 3240b7bcfa..89fb778fef 100644 --- a/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md +++ b/windows/configuration/ue-v/uev-whats-new-in-uev-for-windows.md @@ -2,9 +2,6 @@ title: What's New in UE-V for Windows 10, version 1607 description: Learn about what's new in User Experience Virtualization (UE-V) for Windows 10, including new features and capabilities. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md index bbbe078c55..d0f06bd548 100644 --- a/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md +++ b/windows/configuration/ue-v/uev-working-with-custom-templates-and-the-uev-generator.md @@ -2,9 +2,6 @@ title: Working with Custom UE-V Templates and the UE-V Template Generator description: Create your own custom settings location templates by working with Custom User Experience Virtualization (UE-V) Templates and the UE-V Template Generator. author: aczechowski -ms.pagetype: mdop, virtualization -ms.mktglfcycl: deploy -ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 ms.reviewer: diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md index ac4bac4e80..98aa47fcb1 100644 --- a/windows/configuration/wcd/wcd-accountmanagement.md +++ b/windows/configuration/wcd/wcd-accountmanagement.md @@ -2,8 +2,6 @@ title: AccountManagement (Windows 10) description: This section describes the account management settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md index 25d47941a7..94e31def8a 100644 --- a/windows/configuration/wcd/wcd-accounts.md +++ b/windows/configuration/wcd/wcd-accounts.md @@ -2,8 +2,6 @@ title: Accounts (Windows 10) description: This section describes the account settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md index ae172dc1c5..80e83844b0 100644 --- a/windows/configuration/wcd/wcd-admxingestion.md +++ b/windows/configuration/wcd/wcd-admxingestion.md @@ -2,8 +2,6 @@ title: ADMXIngestion (Windows 10) description: This section describes the ADMXIngestion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index 68825227e9..f7c184e359 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -2,8 +2,6 @@ title: AssignedAccess (Windows 10) description: This section describes the AssignedAccess setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 5df5b2dfcd..5ebc1cccde 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -2,8 +2,6 @@ title: Browser (Windows 10) description: This section describes the Browser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index 6c94aa8796..502a0b3ade 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -2,8 +2,6 @@ title: CellCore (Windows 10) description: This section describes the CellCore settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index f2ba57eae2..d0a091f53f 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: This section describes the Cellular settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-certificates.md b/windows/configuration/wcd/wcd-certificates.md index 668d0bb304..a83e01ed1d 100644 --- a/windows/configuration/wcd/wcd-certificates.md +++ b/windows/configuration/wcd/wcd-certificates.md @@ -2,8 +2,6 @@ title: Certificates (Windows 10) description: This section describes the Certificates settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md index d196972424..7fae1e2c06 100644 --- a/windows/configuration/wcd/wcd-changes.md +++ b/windows/configuration/wcd/wcd-changes.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-cleanpc.md b/windows/configuration/wcd/wcd-cleanpc.md index 090081972f..fdcbf1dd2a 100644 --- a/windows/configuration/wcd/wcd-cleanpc.md +++ b/windows/configuration/wcd/wcd-cleanpc.md @@ -2,8 +2,6 @@ title: CleanPC (Windows 10) description: This section describes the CleanPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md index e71332a303..24465ae5a5 100644 --- a/windows/configuration/wcd/wcd-connections.md +++ b/windows/configuration/wcd/wcd-connections.md @@ -2,8 +2,6 @@ title: Connections (Windows 10) description: This section describes the Connections settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index 4f9bd01b6e..307aab14ca 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -2,8 +2,6 @@ title: ConnectivityProfiles (Windows 10) description: This section describes the ConnectivityProfile settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md index e09bfedbeb..2d326165c7 100644 --- a/windows/configuration/wcd/wcd-countryandregion.md +++ b/windows/configuration/wcd/wcd-countryandregion.md @@ -2,8 +2,6 @@ title: CountryAndRegion (Windows 10) description: This section describes the CountryAndRegion settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md index e8ea46b7dc..dccfa2bfd8 100644 --- a/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md +++ b/windows/configuration/wcd/wcd-desktopbackgroundandcolors.md @@ -2,8 +2,6 @@ title: DesktopBackgroundAndColors (Windows 10) description: This section describes the DesktopBackgrounAndColors settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-developersetup.md b/windows/configuration/wcd/wcd-developersetup.md index 6d1c176a3d..62715da105 100644 --- a/windows/configuration/wcd/wcd-developersetup.md +++ b/windows/configuration/wcd/wcd-developersetup.md @@ -2,8 +2,6 @@ title: DeveloperSetup (Windows 10) description: This section describes the DeveloperSetup settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md index 8a4fe3064e..6a101c9fd1 100644 --- a/windows/configuration/wcd/wcd-deviceformfactor.md +++ b/windows/configuration/wcd/wcd-deviceformfactor.md @@ -2,8 +2,6 @@ title: DeviceFormFactor (Windows 10) description: This section describes the DeviceFormFactor setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 32484edbd9..a5bb59742b 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -2,8 +2,6 @@ title: DeviceManagement (Windows 10) description: This section describes the DeviceManagement setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-deviceupdatecenter.md b/windows/configuration/wcd/wcd-deviceupdatecenter.md index 440ed6459b..83bb19007c 100644 --- a/windows/configuration/wcd/wcd-deviceupdatecenter.md +++ b/windows/configuration/wcd/wcd-deviceupdatecenter.md @@ -2,8 +2,6 @@ title: DeviceUpdateCenter (Windows 10) description: This section describes the DeviceUpdateCenter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md index ed596c0b34..1154e1643c 100644 --- a/windows/configuration/wcd/wcd-dmclient.md +++ b/windows/configuration/wcd/wcd-dmclient.md @@ -2,8 +2,6 @@ title: DMClient (Windows 10) description: This section describes the DMClient setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md index 9c2e199008..114234aa5d 100644 --- a/windows/configuration/wcd/wcd-editionupgrade.md +++ b/windows/configuration/wcd/wcd-editionupgrade.md @@ -2,8 +2,6 @@ title: EditionUpgrade (Windows 10) description: This section describes the EditionUpgrade settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-firewallconfiguration.md b/windows/configuration/wcd/wcd-firewallconfiguration.md index 574f4d2a0d..a31d1cddcb 100644 --- a/windows/configuration/wcd/wcd-firewallconfiguration.md +++ b/windows/configuration/wcd/wcd-firewallconfiguration.md @@ -2,8 +2,6 @@ title: FirewallConfiguration (Windows 10) description: This section describes the FirewallConfiguration setting that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md index a830d6925b..025c70a9b5 100644 --- a/windows/configuration/wcd/wcd-firstexperience.md +++ b/windows/configuration/wcd/wcd-firstexperience.md @@ -2,8 +2,6 @@ title: FirstExperience (Windows 10) description: This section describes the FirstExperience settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md index 1008dd3172..e45a67e31a 100644 --- a/windows/configuration/wcd/wcd-folders.md +++ b/windows/configuration/wcd/wcd-folders.md @@ -2,8 +2,6 @@ title: Folders (Windows 10) description: This section describes the Folders settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index cf3eb21000..db0317ff32 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -2,8 +2,6 @@ title: HotSpot (Windows 10) description: This section describes the HotSpot settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md index 9e653528de..0f38069d39 100644 --- a/windows/configuration/wcd/wcd-kioskbrowser.md +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -2,8 +2,6 @@ title: KioskBrowser (Windows 10) description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-licensing.md b/windows/configuration/wcd/wcd-licensing.md index 8342ca38d7..5e1385d91a 100644 --- a/windows/configuration/wcd/wcd-licensing.md +++ b/windows/configuration/wcd/wcd-licensing.md @@ -2,8 +2,6 @@ title: Licensing (Windows 10) description: This section describes the Licensing settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md index 3e0a47a230..65d0cf04b9 100644 --- a/windows/configuration/wcd/wcd-location.md +++ b/windows/configuration/wcd/wcd-location.md @@ -2,8 +2,6 @@ title: Location (Windows 10) description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md index cdb5ff8a79..fa05e3ac5d 100644 --- a/windows/configuration/wcd/wcd-maps.md +++ b/windows/configuration/wcd/wcd-maps.md @@ -2,8 +2,6 @@ title: Maps (Windows 10) description: This section describes the Maps settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-networkproxy.md b/windows/configuration/wcd/wcd-networkproxy.md index e16622e753..20e53f7d72 100644 --- a/windows/configuration/wcd/wcd-networkproxy.md +++ b/windows/configuration/wcd/wcd-networkproxy.md @@ -2,8 +2,6 @@ title: NetworkProxy (Windows 10) description: This section describes the NetworkProxy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-networkqospolicy.md b/windows/configuration/wcd/wcd-networkqospolicy.md index 24179089bf..46d1804745 100644 --- a/windows/configuration/wcd/wcd-networkqospolicy.md +++ b/windows/configuration/wcd/wcd-networkqospolicy.md @@ -2,8 +2,6 @@ title: NetworkQoSPolicy (Windows 10) description: This section describes the NetworkQoSPolicy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-oobe.md b/windows/configuration/wcd/wcd-oobe.md index 7ab4e1b5f7..f885d27c0e 100644 --- a/windows/configuration/wcd/wcd-oobe.md +++ b/windows/configuration/wcd/wcd-oobe.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: This section describes the OOBE settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-personalization.md b/windows/configuration/wcd/wcd-personalization.md index 6bfb8c53ab..ecd6a488c9 100644 --- a/windows/configuration/wcd/wcd-personalization.md +++ b/windows/configuration/wcd/wcd-personalization.md @@ -2,8 +2,6 @@ title: Personalization (Windows 10) description: This section describes the Personalization settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index c894bdc784..fddfc8e061 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: This section describes the Policies settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-privacy.md b/windows/configuration/wcd/wcd-privacy.md index ff0d8ba5c4..827c8bad55 100644 --- a/windows/configuration/wcd/wcd-privacy.md +++ b/windows/configuration/wcd/wcd-privacy.md @@ -2,8 +2,6 @@ title: Privacy (Windows 10) description: This section describes the Privacy settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-provisioningcommands.md b/windows/configuration/wcd/wcd-provisioningcommands.md index 353d7fc8d7..fe6ca80426 100644 --- a/windows/configuration/wcd/wcd-provisioningcommands.md +++ b/windows/configuration/wcd/wcd-provisioningcommands.md @@ -2,8 +2,6 @@ title: ProvisioningCommands (Windows 10) description: This section describes the ProvisioningCommands settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index e92b9ff5e9..f3035e6415 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -2,8 +2,6 @@ title: SharedPC (Windows 10) description: This section describes the SharedPC settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-smisettings.md b/windows/configuration/wcd/wcd-smisettings.md index 18f8ce37ce..c3e15932b1 100644 --- a/windows/configuration/wcd/wcd-smisettings.md +++ b/windows/configuration/wcd/wcd-smisettings.md @@ -2,8 +2,6 @@ title: SMISettings (Windows 10) description: This section describes the SMISettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-start.md b/windows/configuration/wcd/wcd-start.md index c06113474f..04bbf138fd 100644 --- a/windows/configuration/wcd/wcd-start.md +++ b/windows/configuration/wcd/wcd-start.md @@ -2,8 +2,6 @@ title: Start (Windows 10) description: This section describes the Start settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-startupapp.md b/windows/configuration/wcd/wcd-startupapp.md index 97b161c250..ad8220553a 100644 --- a/windows/configuration/wcd/wcd-startupapp.md +++ b/windows/configuration/wcd/wcd-startupapp.md @@ -2,8 +2,6 @@ title: StartupApp (Windows 10) description: This section describes the StartupApp settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-startupbackgroundtasks.md b/windows/configuration/wcd/wcd-startupbackgroundtasks.md index 4e26559f04..dba45f6c55 100644 --- a/windows/configuration/wcd/wcd-startupbackgroundtasks.md +++ b/windows/configuration/wcd/wcd-startupbackgroundtasks.md @@ -2,8 +2,6 @@ title: StartupBackgroundTasks (Windows 10) description: This section describes the StartupBackgroundTasks settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md index 4ef3ca8adf..83269cd2b6 100644 --- a/windows/configuration/wcd/wcd-storaged3inmodernstandby.md +++ b/windows/configuration/wcd/wcd-storaged3inmodernstandby.md @@ -2,8 +2,6 @@ title: StorageD3InModernStandby (Windows 10) description: This section describes the StorageD3InModernStandby settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-surfacehubmanagement.md b/windows/configuration/wcd/wcd-surfacehubmanagement.md index 227a05ff2f..4d3996dcfd 100644 --- a/windows/configuration/wcd/wcd-surfacehubmanagement.md +++ b/windows/configuration/wcd/wcd-surfacehubmanagement.md @@ -2,8 +2,6 @@ title: SurfaceHubManagement (Windows 10) description: This section describes the SurfaceHubManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 7365638aa4..7c8c7a37e3 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -2,8 +2,6 @@ title: TabletMode (Windows 10) description: This section describes the TabletMode settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-takeatest.md b/windows/configuration/wcd/wcd-takeatest.md index 0fc360651c..b4843fdb7b 100644 --- a/windows/configuration/wcd/wcd-takeatest.md +++ b/windows/configuration/wcd/wcd-takeatest.md @@ -2,8 +2,6 @@ title: TakeATest (Windows 10) description: This section describes the TakeATest settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-time.md b/windows/configuration/wcd/wcd-time.md index 19dc4a9203..c2a766d169 100644 --- a/windows/configuration/wcd/wcd-time.md +++ b/windows/configuration/wcd/wcd-time.md @@ -2,8 +2,6 @@ title: Time (Windows 10) description: This section describes the Time settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 7a54c8d4a2..8c8c8648db 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -2,8 +2,6 @@ title: UnifiedWriteFilter (Windows 10) description: This section describes the UnifiedWriteFilter settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md index 3eec0e5b18..f62e4299e3 100644 --- a/windows/configuration/wcd/wcd-universalappinstall.md +++ b/windows/configuration/wcd/wcd-universalappinstall.md @@ -2,8 +2,6 @@ title: UniversalAppInstall (Windows 10) description: This section describes the UniversalAppInstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-universalappuninstall.md b/windows/configuration/wcd/wcd-universalappuninstall.md index 38594be3eb..690bfc3ea4 100644 --- a/windows/configuration/wcd/wcd-universalappuninstall.md +++ b/windows/configuration/wcd/wcd-universalappuninstall.md @@ -2,8 +2,6 @@ title: UniversalAppUninstall (Windows 10) description: This section describes the UniversalAppUninstall settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-usberrorsoemoverride.md b/windows/configuration/wcd/wcd-usberrorsoemoverride.md index 946006edef..1c9909507e 100644 --- a/windows/configuration/wcd/wcd-usberrorsoemoverride.md +++ b/windows/configuration/wcd/wcd-usberrorsoemoverride.md @@ -2,8 +2,6 @@ title: UsbErrorsOEMOverride (Windows 10) description: This section describes the UsbErrorsOEMOverride settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md index 057f4eb2ea..676df2efed 100644 --- a/windows/configuration/wcd/wcd-weakcharger.md +++ b/windows/configuration/wcd/wcd-weakcharger.md @@ -2,8 +2,6 @@ title: WeakCharger (Windows 10) description: This section describes the WeakCharger settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 9549606c41..f42e48ac49 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -2,8 +2,6 @@ title: WindowsHelloForBusiness (Windows 10) description: This section describes the Windows Hello for Business settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md index 37390601a1..51e2f55a43 100644 --- a/windows/configuration/wcd/wcd-windowsteamsettings.md +++ b/windows/configuration/wcd/wcd-windowsteamsettings.md @@ -2,8 +2,6 @@ title: WindowsTeamSettings (Windows 10) description: This section describes the WindowsTeamSettings settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 810a9d27b4..2709497450 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -4,8 +4,6 @@ ms.reviewer: manager: dougeby description: This section describes the WLAN settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md index a61acc7311..ee8d4e0bc6 100644 --- a/windows/configuration/wcd/wcd-workplace.md +++ b/windows/configuration/wcd/wcd-workplace.md @@ -2,8 +2,6 @@ title: Workplace (Windows 10) description: This section describes the Workplace settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index a0de3514c7..6fb2f329ca 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -2,8 +2,6 @@ title: Windows Configuration Designer provisioning settings (Windows 10) description: This section describes the settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 2bbae9dfc2..3f9a6310d2 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -3,8 +3,6 @@ title: Windows 10 accessibility information for IT Pros (Windows 10) description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them keywords: accessibility, settings, vision, hearing, physical, cognition, assistive ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library ms.author: aaroncz author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 917fc0e4f1..4965185168 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,13 +1,9 @@ --- title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. -ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A ms.reviewer: manager: dougeby -keywords: ["start screen", "start menu"] ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 962bb26a07..88baf2f9e0 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -1,13 +1,9 @@ --- title: Configure Windows Spotlight on the lock screen (Windows 10) description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen. -ms.assetid: 1AEA51FA-A647-4665-AD78-2F3FB27AD46A ms.reviewer: manager: dougeby -keywords: ["lockscreen"] ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 0e700e4349..cbeb91ed35 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -184,51 +184,86 @@ href: update/deploy-updates-intune.md - name: Monitor Windows client updates items: - - name: Monitor Delivery Optimization - href: do/waas-delivery-optimization-setup.md#monitor-delivery-optimization - - name: Monitor Windows Updates + - name: Monitor with Update Compliance (preview version) + href: update/update-compliance-v2-overview.md + items: + - name: Enable Update Compliance (preview) + items: + - name: Update Compliance prerequisites + href: update/update-compliance-v2-prerequisites.md + - name: Enable the Update Compliance solution + href: update/update-compliance-v2-enable.md + - name: Configure clients with a script + href: update/update-compliance-v2-configuration-script.md + - name: Configure clients manually + href: update/update-compliance-v2-configuration-manual.md + - name: Configure clients with Microsoft Endpoint Manager + href: update/update-compliance-v2-configuration-mem.md + - name: Use Update Compliance (preview) + items: + - name: Use Update Compliance + href: update/update-compliance-v2-use.md + - name: Software updates in the Microsoft admin center (preview) + href: update/update-status-admin-center.md + - name: Update Compliance schema reference (preview) items: - - name: Monitor Windows Updates with Update Compliance - href: update/update-compliance-monitor.md - - name: Get started - items: - - name: Get started with Update Compliance - href: update/update-compliance-get-started.md - - name: Update Compliance configuration script - href: update/update-compliance-configuration-script.md - - name: Manually configuring devices for Update Compliance - href: update/update-compliance-configuration-manual.md - - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager - href: update/update-compliance-configuration-mem.md - - name: Update Compliance monitoring - items: - - name: Use Update Compliance - href: update/update-compliance-using.md - - name: Need attention report - href: update/update-compliance-need-attention.md - - name: Security update status report - href: update/update-compliance-security-update-status.md - - name: Feature update status report - href: update/update-compliance-feature-update-status.md - - name: Safeguard holds report - href: update/update-compliance-safeguard-holds.md - - name: Delivery Optimization in Update Compliance - href: update/update-compliance-delivery-optimization.md - - name: Data handling and privacy in Update Compliance - href: update/update-compliance-privacy.md - - name: Update Compliance schema reference - href: update/update-compliance-schema.md - items: - - name: WaaSUpdateStatus - href: update/update-compliance-schema-waasupdatestatus.md - - name: WaaSInsiderStatus - href: update/update-compliance-schema-waasinsiderstatus.md - - name: WaaSDepoymentStatus - href: update/update-compliance-schema-waasdeploymentstatus.md - - name: WUDOStatus - href: update/update-compliance-schema-wudostatus.md - - name: WUDOAggregatedStatus - href: update/update-compliance-schema-wudoaggregatedstatus.md + - name: Update Compliance schema reference + href: update/update-compliance-v2-schema.md + - name: UCClient + href: update/update-compliance-v2-schema-ucclient.md + - name: UCClientReadinessStatus + href: update/update-compliance-v2-schema-ucclientreadinessstatus.md + - name: UCClientUpdateStatus + href: update/update-compliance-v2-schema-ucclientupdatestatus.md + - name: UCDeviceAlert + href: update/update-compliance-v2-schema-ucdevicealert.md + - name: UCServiceUpdateStatus + href: update/update-compliance-v2-schema-ucserviceupdatestatus.md + - name: UCUpdateAlert + href: update/update-compliance-v2-schema-ucupdatealert.md + - name: Monitor updates with Update Compliance + href: update/update-compliance-monitor.md + items: + - name: Get started + items: + - name: Get started with Update Compliance + href: update/update-compliance-get-started.md + - name: Update Compliance configuration script + href: update/update-compliance-configuration-script.md + - name: Manually configuring devices for Update Compliance + href: update/update-compliance-configuration-manual.md + - name: Configuring devices for Update Compliance in Microsoft Endpoint Manager + href: update/update-compliance-configuration-mem.md + - name: Update Compliance monitoring + items: + - name: Use Update Compliance + href: update/update-compliance-using.md + - name: Need attention report + href: update/update-compliance-need-attention.md + - name: Security update status report + href: update/update-compliance-security-update-status.md + - name: Feature update status report + href: update/update-compliance-feature-update-status.md + - name: Safeguard holds report + href: update/update-compliance-safeguard-holds.md + - name: Delivery Optimization in Update Compliance + href: update/update-compliance-delivery-optimization.md + - name: Data handling and privacy in Update Compliance + href: update/update-compliance-privacy.md + - name: Schema reference + items: + - name: Update Compliance schema reference + href: update/update-compliance-schema.md + - name: WaaSUpdateStatus + href: update/update-compliance-schema-waasupdatestatus.md + - name: WaaSInsiderStatus + href: update/update-compliance-schema-waasinsiderstatus.md + - name: WaaSDepoymentStatus + href: update/update-compliance-schema-waasdeploymentstatus.md + - name: WUDOStatus + href: update/update-compliance-schema-wudostatus.md + - name: WUDOAggregatedStatus + href: update/update-compliance-schema-wudoaggregatedstatus.md - name: Troubleshooting items: - name: Resolve upgrade errors diff --git a/windows/deployment/do/images/imcc02.png b/windows/deployment/do/images/imcc02.png index 351dad7325..151fa69ed7 100644 Binary files a/windows/deployment/do/images/imcc02.png and b/windows/deployment/do/images/imcc02.png differ diff --git a/windows/deployment/do/images/imcc10.png b/windows/deployment/do/images/imcc10.png index e5da041358..53d2773ce6 100644 Binary files a/windows/deployment/do/images/imcc10.png and b/windows/deployment/do/images/imcc10.png differ diff --git a/windows/deployment/do/images/imcc11.png b/windows/deployment/do/images/imcc11.png index 9ffaac6072..bf45500aba 100644 Binary files a/windows/deployment/do/images/imcc11.png and b/windows/deployment/do/images/imcc11.png differ diff --git a/windows/deployment/do/images/imcc12.png b/windows/deployment/do/images/imcc12.png index fcb5d40a45..d776cb5913 100644 Binary files a/windows/deployment/do/images/imcc12.png and b/windows/deployment/do/images/imcc12.png differ diff --git a/windows/deployment/do/images/imcc13.png b/windows/deployment/do/images/imcc13.png index 3d2a566c8b..feee2d0e9c 100644 Binary files a/windows/deployment/do/images/imcc13.png and b/windows/deployment/do/images/imcc13.png differ diff --git a/windows/deployment/do/images/imcc14.png b/windows/deployment/do/images/imcc14.png index 627d496b4c..59dc405046 100644 Binary files a/windows/deployment/do/images/imcc14.png and b/windows/deployment/do/images/imcc14.png differ diff --git a/windows/deployment/do/images/imcc17.png b/windows/deployment/do/images/imcc17.png index ac6b5be124..f6b0ffcad7 100644 Binary files a/windows/deployment/do/images/imcc17.png and b/windows/deployment/do/images/imcc17.png differ diff --git a/windows/deployment/do/images/imcc18.png b/windows/deployment/do/images/imcc18.png index aa818361eb..5b89bfe31a 100644 Binary files a/windows/deployment/do/images/imcc18.png and b/windows/deployment/do/images/imcc18.png differ diff --git a/windows/deployment/do/images/imcc19.png b/windows/deployment/do/images/imcc19.png index 2a70b46b11..ead9d1c383 100644 Binary files a/windows/deployment/do/images/imcc19.png and b/windows/deployment/do/images/imcc19.png differ diff --git a/windows/deployment/do/images/imcc26.png b/windows/deployment/do/images/imcc26.png index c46a7e6363..b64e3849dc 100644 Binary files a/windows/deployment/do/images/imcc26.png and b/windows/deployment/do/images/imcc26.png differ diff --git a/windows/deployment/do/images/imcc27.png b/windows/deployment/do/images/imcc27.png index 01076b3ae5..c37713364f 100644 Binary files a/windows/deployment/do/images/imcc27.png and b/windows/deployment/do/images/imcc27.png differ diff --git a/windows/deployment/do/images/imcc28.png b/windows/deployment/do/images/imcc28.png index a7aa7eecd7..cc99b61638 100644 Binary files a/windows/deployment/do/images/imcc28.png and b/windows/deployment/do/images/imcc28.png differ diff --git a/windows/deployment/do/images/imcc29.png b/windows/deployment/do/images/imcc29.png deleted file mode 100644 index 2291487e5b..0000000000 Binary files a/windows/deployment/do/images/imcc29.png and /dev/null differ diff --git a/windows/deployment/do/images/imcc30.png b/windows/deployment/do/images/imcc30.png index 8cabce52c8..42301d5c4c 100644 Binary files a/windows/deployment/do/images/imcc30.png and b/windows/deployment/do/images/imcc30.png differ diff --git a/windows/deployment/do/images/imcc54.png b/windows/deployment/do/images/imcc54.png new file mode 100644 index 0000000000..c40ab0c5c9 Binary files /dev/null and b/windows/deployment/do/images/imcc54.png differ diff --git a/windows/deployment/do/images/imcc55.PNG b/windows/deployment/do/images/imcc55.PNG new file mode 100644 index 0000000000..2875d4d56e Binary files /dev/null and b/windows/deployment/do/images/imcc55.PNG differ diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md new file mode 100644 index 0000000000..811b6b5a0c --- /dev/null +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -0,0 +1,162 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.mktglfcycl: deploy +audience: itpro +ms.topic: include +ms.date: 04/06/2022 +ms.localizationpriority: medium +--- + + +## Monitor Delivery Optimization + +### Windows PowerShell cmdlets + +**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. + +#### Analyze usage + +`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. + +| Key | Value | +| --- | --- | +| File ID | A GUID that identifies the file being processed | +| FileSize | Size of the file | +| FileSizeInCache | Size of the file in the cache | +| TotalBytesDownloaded | The number of bytes from any source downloaded so far | +| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | +| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | +| BytesfromHTTP | Total number of bytes received over HTTP | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| Priority | Priority of the download; values are **foreground** or **background** | +| BytesFromCacheServer | Total number of bytes received from cache server | +| BytesFromLanPeers | Total number of bytes received from peers found on the LAN | +| BytesFromGroupPeers | Total number of bytes received from peers found in the group | +| BytesFromInternetPeers | Total number of bytes received from internet peers | +| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN | +| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | +| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN | +| DownloadDuration | Total download time in seconds | +| HttpConnectionCount | | +| LanConnectionCount | | +| GroupConnectionCount | | +| InternetConnectionCount | | +| DownloadMode | | +| SourceURL | Http source for the file | +| CacheHost | IP address for the cache server | +| NumPeers | Indicates the total number of peers returned from the service. | +| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | +| ExpireOn | The target expiration date and time for the file. | +| IsPinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | + +`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: + +| Key | Value | +| --- | --- | +| FilesDownloaded | Number of files downloaded | +| FilesUploaded | Number of files uploaded | +| Files | | +| TotalBytesDownloaded | Total bytes downloaded | +| TotalBytesUploaded | Total bytes uploaded | +| AverageDownloadSize | Average transfer size (download); that is, the number bytes downloaded divided by the number of files | +| AverageUploadSize | Average transfer size (upload); the number of bytes uploaded divided by the number of files | +| DownloadMode | Delivery Optimization Download mode used to deliver file | +| CacheSizeBytes | | +| TotalDiskBytes | | +| AvailableDiskBytes | | +| CpuUsagePct | | +| MemUsageKB | | +| NumberOfPeers | | +| CacheHostConnections | | +| CdnConnections | | +| LanConnections | | +| LinkLocalConnections | | +| GroupConnections | | +| InternetConnections | | +| DownlinkBps | | +| DownlinkUsageBps | | +| UplinkBps | | +| UplinkUsageBps | | +| ForegroundDownloadRatePct | | +| BackgroundDownloadRatePct | | +| UploadRatePct | | +| UplinkUsageBps | | +| ForegroundDownloadRatePct | | +| BackgroundDownloadRatePct | | +| UploadRatePct | | +| UploadCount | | +| ForegroundDownloadCount | | +| ForegroundDownloadsPending | | +| BackgroundDownloadCount | | +| BackgroundDownloadsPending | | + +Using the `-Verbose` option returns additional information: + +- Bytes from peers (per type) +- Bytes from CDN (the number of bytes received over HTTP) +- Average number of peer connections per download + +**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. + +#### Manage the Delivery Optimization cache + +**Starting in Windows 10, version 1903:** + +`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. + +`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. + +You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. + +`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. + +`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are reached. The file is included in the cache quota calculation. + +`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: + +- `-FileID` specifies a particular file to delete. +- `-IncludePinnedFiles` deletes all files that are pinned. +- `-Force` deletes the cache with no prompts. + +#### Work with Delivery Optimization logs + +**Starting in Windows 10, version 2004:** + +- `Enable-DeliveryOptimizationVerboseLogs` +- `Disable-DeliveryOptimizationVerboseLogs` + +- `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` + +With no options, this cmdlet returns these data: + +- total number of files +- number of foreground files +- minimum file size for it to be cached +- number of eligible (larger than the minimum size for peering) files +- number of files that found peers +- number of peering files (the number of files that got at least 1 byte from peers) +- overall efficiency +- efficiency in the peered files + +Using the `-ListConnections` option returns these details about peers: + +- destination IP address +- peer type +- status code +- bytes sent +- bytes received +- file ID + +**Starting in Windows 10, version 1803:** + +`Get-DeliveryOptimizationLog [-Path ] [-Flush]` + +If `Path` is not specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. + +Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. diff --git a/windows/deployment/do/mcc-isp.md b/windows/deployment/do/mcc-isp.md index dd4a7afbbc..458c5af1b4 100644 --- a/windows/deployment/do/mcc-isp.md +++ b/windows/deployment/do/mcc-isp.md @@ -1,593 +1,740 @@ --- title: Microsoft Connected Cache for Internet Service Providers (ISPs) -manager: dougeby description: Details on Microsoft Connected Cache (MCC) for Internet Service Providers (ISPs). -keywords: updates, downloads, network, bandwidth ms.prod: w10 -ms.mktglfcycl: deploy -audience: itpro -author: carmenf +ms.technology: windows ms.localizationpriority: medium -ms.author: carmenf +author: amymzhou +ms.author: aaroncz +ms.reviewer: carmenf +manager: dougeby ms.collection: M365-modern-desktop -ms.topic: article +ms.topic: how-to +ms.date: 05/20/2022 --- # Microsoft Connected Cache for Internet Service Providers (ISPs) -**Applies to** +_Applies to_ -- Windows 10 +- Windows 10 - Windows 11 ## Overview > [!IMPORTANT] -> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase does not include formal support, and should not be used for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a private preview feature. During this phase we invite customers to take part in early access for testing purposes. This phase doesn't include formal support. Instead, you'll be working directly with the product team to provide feedback on Microsoft Connected Cache. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many physical servers or VMs as needed, and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. +Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within operator networks. MCC can be deployed to as many physical servers or VMs as needed and is managed from a cloud portal. Microsoft cloud services handle routing of consumer devices to the cache server for content downloads. -Microsoft Connected Cache is a Hybrid (mix of on-prem and cloud resources) solution composed of a Docker compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge (more information on IoT Edge [in the appendix](#iot-edge-runtime)) as a secure and reliable control plane, and even though your scenario is not related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. Azure IoT Edge consists of three components that the Microsoft Connected Cache infrastructure will utilize: - -1. A cloud-based interface that enables secure, remote installation, monitoring, and management of MCC nodes. -2. A runtime that securely manages the modules deployed to each device. -3. Modules/containers that run the MCC functionality on your device. +Microsoft Connected Cache is a hybrid application, in that it's a mix of on-premises and cloud resources. It's composed of a Docker-compatible Linux container deployed to your server and a cloud management portal. Microsoft chose Azure IoT Edge as a secure and reliable control plane. For more information on IoT Edge, see the [Appendix](#appendix). Even though your scenario isn't related to IoT, Azure IoT Edge is our secure Linux container deployment and management infrastructure. ## How MCC works -The following steps describe how MCC is provisioned and used. +:::image type="content" source="images/imcc01.png" alt-text="Data flow diagram of how Microsoft Connected Cache works." lightbox="images/imcc01.png"::: -1. The Azure Management Portal used to create and manage MCC nodes. -2. The MCC container is deployed and provisioned to the server. -3. The Azure Management Portal is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server by providing two pieces of information: - - The publicly accessible IPv4 address of the server hosting the MCC container. - - The CIDR blocks that represent the client IP address space, which should be routed to the MCC node. -4. Microsoft end-user devices periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. -5. Microsoft end-user devices make the range requests for content from the MCC node. -6. An MCC node pulls content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. -7. Subsequent requests from end-user devices for content will now come from cache. -8. If the MCC node is unavailable, the client will pull content from CDN to ensure uninterrupted service for your subscribers. +The following steps describe how MCC is provisioned and used: - ![MCC overview 1](images/imcc01.png) +1. The Azure Management Portal is used to create and manage MCC nodes. -## ISP Requirements for MCC +2. A shell script is used to provision the server and deploy the MCC application. -1. **Azure subscription**: The MCC management portal is hosted within Azure, and is used to create the Connected Cache Azure resource and IoT Hub resource. Both are free services. +3. A combination of the Azure Management Portal and shell script is used to configure Microsoft Delivery Optimization Services to route traffic to the MCC server. - Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). + - The publicly accessible IPv4 address of the server is configured on the portal. - The resources used for the preview, and in the future when this product is ready for production, will be completely free to you - like other caching solutions. - - > [!NOTE] - > If you request Exchange or Public peering in the future, business email addresses must be used to register ASN's, because Microsoft does not accept gmail or other non-business email addresses. + - **Manual Routing:** Providing the CIDR blocks that represent the client IP address space, which should be routed to the MCC node. -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35,000 consumer devices, downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. + - **BGP Routing:** A shell script is used to initiate a peering session with a router in the operator network, and the operator initiates a session with the MCC node. + + > [!NOTE] + > Only IPv4 addresses are supported at this time. Entering IPv6 addresses will result in an error. + +4. Microsoft end-user devices (clients) periodically connect with Microsoft Delivery Optimization Services, and the services match the IP address of the client with the IP address of the corresponding MCC node. + +5. Microsoft clients make the range requests for content from the MCC node. + +6. A MCC node gets content from the CDN, seeds its local cache stored on disk, and delivers the content to the client. + +7. Subsequent requests from end-user devices for content will be served from cache. + +8. If the MCC node is unavailable, the client gets content from the CDN to ensure uninterrupted service for your subscribers. + +## ISP requirements for MCC + +### Azure subscription + +The MCC management portal is hosted within Azure. It's used to create the Connected Cache Azure resource and IoT Hub resource. Both are _free_ services. + +> [!NOTE] +> If you request Exchange or Public peering in the future, business email addresses must be used to register ASNs. Microsoft doesn't accept Gmail or other non-business email addresses. + +Your Azure subscription ID is first used to provision MCC services and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure free account FAQ](https://azure.microsoft.com/free/free-account-faq/). _Don't submit a trial subscription_ as you'll lose access to your Azure resources after the trial period ends. + +The resources used for the preview, and in the future when this product is ready for production, will be free to you - like other caching solutions. + +> [!IMPORTANT] +> To join the Microsoft Connected Cache private preview, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). + +### Hardware to host the MCC + +This recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. + +#### Disk requirements -Disk requirements: - SSDs are recommended due to improved cache read speeds of SSD, compared to HDD. - Using multiple disks is recommended to improve cache performance. - RAID disk configurations are discouraged because cache performance will be impacted. If you're using RAID disk configurations, ensure striping. - The maximum number of disks supported is 10. -NIC requirements: -- Multiple NICs on a single MCC instance are not supported. -- 10Gbps NIC is the minimum speed recommended, but any NIC is supported. +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a _link aggregated_ configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. ### Sizing recommendations +The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. The following recommended configuration can egress at a rate of 9 Gbps with a 10 Gbps NIC. + | Component | Minimum | Recommended | | -- | --- | --- | | OS | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | | NIC | 10 Gbps| at least 10 Gbps | -| Disk | SSD
    1 drive
    2TB each |SSD
    2-4 drives
    at least 2TB each | -| Memory | 8GB | 32GB or greater | +| Disk | SSD
    1 drive
    2 TB each |SSD
    2-4 drives
    at least 2 TB each | +| Memory | 8 GB | 32 GB or greater | | Cores | 4 | 8 or more | ## Steps to deploy MCC To deploy MCC: -1. [Provide Microsoft with the Azure subscription ID](#provide-microsoft-with-the-azure-subscription-id) +1. [Provide Microsoft with your Azure subscription ID](#provide-microsoft-with-your-azure-subscription-id) 2. [Create the MCC Resource in Azure](#create-the-mcc-resource-in-azure) -3. [Create an MCC Node](#create-an-mcc-node-in-azure): IP address space approval information is required for this step. -4. [Edit Cache Node Information](#edit-cache-node-information) -5. [Set up your server](#set-up-a-server-with-sr-or-an-ubuntu) -6. [Install MCC on a physical server or VM](#install-mcc) -7. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server) -8. [Review the MCC summary report](#verify-server-side) -9. [Review common issues](#common-issues) if needed. +3. [Create a Cache Node](#create-a-mcc-node-in-azure) +4. [Configure Cache Node Routing](#edit-cache-node-information) +5. [Install MCC on a physical server or VM](#install-mcc) +6. [Verify properly functioning MCC server](#verify-properly-functioning-mcc-server) +7. [Review common issues if needed](#common-issues) -For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) +For questions regarding these instructions, contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com). -## Provide Microsoft with the Azure Subscription ID +## Provide Microsoft with your Azure subscription ID -As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. +As part of the MCC preview onboarding process, an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] -> [Contact Microsoft](mailto:mccforenterprise@microsoft.com?subject=[MCC%20for%20Enterprise]%20Please%20add%20our%20Azure%20subscription%20to%20the%20allow%20list) and provide your Azure subscription ID if you have not already. You'll not be able to proceed if you skip this step. +> If you haven't already, provide your Azure subscription ID by filling out [this survey](https://aka.ms/MCCForISPSurvey). You can't continue if you skip this step. - -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and cache nodes. -Send email to the MCC team ([msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)) with your Azure subscription ID to get access to the preview. The team will send you a link to the Azure portal, which will allow you to create the resource described below. +Operators who have been given access to the program will be sent a link to the Azure portal, which will allow you to create this resource. -1. Choose **Create a resource** +1. Choose **Create a resource**. - ![eMCC img02](images/imcc02.png) + :::image type="content" source="images/imcc02.png" alt-text="Select the option to 'Create a resource' in the Azure portal."::: -2. Type **Microsoft Connected Cache** into the search box, and hit **Enter** to show search results. +1. Type **Microsoft Connected Cache** into the search box and press **Enter** to show the search results. -3. Select **Microsoft Connected Cache** and choose **Create** on the next screen to start the process of creating the MCC resource. +1. Select **Microsoft Connected Cache**. - ![iMCC img03](images/imcc03.png) - ![iMCC img04](images/imcc04.png) + :::image type="content" source="images/imcc03.png" alt-text="Search the Azure Marketplace for 'Microsoft Connected Cache'."::: -4. Fill in the required fields to create the MCC resource. + > [!IMPORTANT] + > Don't select _Connected Cache Resources_, which is different from **Microsoft Connected Cache**. - - Choose the subscription that you provided to Microsoft. - - Azure resource groups are logical groups of resources. Create a new resource group and choose a name for your resource group. - - Choose **(US) West US**” for the location of the resource. This choice will not impact MCC if the physical location isn't in the West US, it is just a limitation of the preview. +1. Select **Create** on the next screen to start the process of creating the MCC resource. - > [!NOTE] - > Your MCC resource will not be created properly if you don't select **(US) West US** + :::image type="content" source="images/imcc04.png" alt-text="Select the option to Create the Microsoft Connected Cache service."::: - - Choose a name for the MCC resource. +1. Fill in the following required fields to create the MCC resource: - ![iMCC emg05](images/imcc05.png) + - Choose the **Subscription** that you provided to Microsoft. -5. Once all the information has been entered, click the **Review + Create** button. Once validation is complete, click the **Create** button to start the - resource creation. + - Azure resource groups are logical groups of resources. Create a new **Resource group** and choose a name for it. - ![iMCC img06](images/imcc06.png) + - Choose **(US) West US** for the **Location** of the resource. This choice won't impact MCC if the physical location isn't in the West US, it's just a limitation of the preview. -#### Error: Validation failed + > [!NOTE] + > Your MCC resource won't create properly if you don't select **(US) West US**. -- If you get a Validation failed error message on your portal, it is likely because you selected the **Location** as **US West 2** or some other location that isn't **(US) West US**. -- To resolve this error, go to the previous step and choose **(US) West US**. + - Specify a **Connected Cache Resource Name**. - ![iMCC img07](images/imcc07.png) + :::image type="content" source="images/imcc05.png" alt-text="Enter the required information to create a Connected Cache in Azure."::: -### Create an MCC node in Azure +1. Select **Review + Create**. Once validation is complete, select **Create** to start the resource creation. -Creating a MCC node is a multi-step process and the first step is to access the MCC private preview management portal. + :::image type="content" source="images/imcc06.png" alt-text="'Your deployment is complete' message displaying deployment details."::: -1. After the successful resource creation click on the **Go to resource**. -2. Under **Cache Node Management** section on the leftmost panel, click on **Cache Nodes**. +#### Common Resource Creation Errors - ![iMCC img08](images/imcc08.png) +##### Error: Validation failed -3. On the **Cache Nodes** blade, click on the **Create Cache Node** button. +If you get the error message "Validation failed" in the Azure portal, it's likely because you selected the **Location** as **US West 2** or another unsupported location. To resolve this error, go to the previous step and choose **(US) West US** for the **Location**. - ![iMCC img09](images/imcc09.png) +:::image type="content" source="images/imcc07.png" alt-text="'Validation failed' error message for Connected Cache in an unsupported location."::: -4. Clicking the **Create Cache Node** button will open the **Create Cache Node** page; **Cache Node Name** is the only field required for cache node creation. +##### Error: Could not create Marketplace item -| **Field Name** | **Expected Value** | **Description** | -|-------------------------------|--------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | -| **Server II Address** | Ipv4 Address | IP address of your MCC server. This is used to route end-user devices in your network to the server for Microsoft content downloads. **The IP address must be publicly accessible.** | -| **Address Range/CIDR Blocks** | IPv4 CIDR notation | IP Address range/CIDR blocks that should be routed to the MCC server as a comma separated list. For example: 2.21.234.0/24 , 3.22.235.0/24 , 4.23.236.0/24 | -| **Enable Cache Node** | Enable/Disable Radio Button | **Enable** permits the cache node to receive content requests.
    **Disable** prevents the cache node from receiving content requests.
    Cache nodes are enabled by default. | +If you get the error message "Could not create marketplace item" in the Azure portal, use the following steps to troubleshoot: - ![iMCC img10](images/imcc10.png) +- Make sure that you've selected **Microsoft Connected Cache** and not _Connected Cache resources_ while trying to create a MCC resource. -Hovering your cursor next to each field will populate the details of that field. +- Make sure that you're using the same subscription that you provided to Microsoft and you have privileges to create an Azure resource. - ![iMCC img11](images/imcc11.png) +- If the issue persists, clear your browser cache and start in a new window. -There are two other read-only fields on this page that are populated after the cache node is created: +### Create a MCC node in Azure -| **Field Name** | **Description** | -|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **IP Space** | Number of IP addresses that will be routed to your cache server. | -| **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscripiton ID. | +1. After you successfully create the resource, select **Go to resource**. -5. Enter the information for the Cache Node and click on the Create button. In the screenshot below only the Cache Node Name is provided, but all information can be included if desired. +1. Under the **Cache Node Management** section in the left panel, select **Cache Nodes**. - ![iMCC img12](images/imcc12.png) + :::image type="content" source="images/imcc08.png" alt-text="The 'Cache Nodes' option in the Cache Node Management menu section."::: - If there are errors the form will provide guidance on how to correct the errors. For example: +1. On the **Cache Nodes** section, select **Create Cache Node**. - - The cache node name is in use in the resource or is an incorrect format. - - If the CIDR block notation or list is incorrect. - - The server IP address or CIDR block are already in use. + :::image type="content" source="images/imcc09.png" alt-text="Select the 'Create Cache Node' option."::: - See the following example with all information entered: +1. This action opens the **Create Cache Node** page. The only required fields are **Cache Node Name** and **Max Allowable Egress (Mbps)**. - ![iMCC img13](images/imcc13.png) + | Field name | Expected value | Description | + |--|--|--| + | **Cache Node Name** | Alphanumeric name that includes no spaces. | The name of the cache node. You may choose names based on location like Seattle-1. This name must be unique and can't be changed later. | + | **Server IP Address** | IPv4 Address | IP address of your MCC server. This address is used to route end-user devices in your network to the server for Microsoft content downloads. _The IP address must be publicly accessible._ | + | **Max Allowable Egress (Mbps)** | Integer in Mbps | The maximum egress (Mbps) of your MCC based on the specifications of your hardware. For example, `10,000` Mbps. | + | **Address Range/CIDR Blocks** | IPv4 CIDR notation | The IP address range (CIDR blocks) that should be routed to the MCC server as a comma separated list. For example: `2.21.234.0/24, 3.22.235.0/24, 4.23.236.0/24` | + | **Enable Cache Node** | Enable or Disable | **Enable** permits the cache node to receive content requests.
    **Disable** prevents the cache node from receiving content requests.
    Cache nodes are enabled by default. | - Once the MCC Node has been created, the installer instructions will be exposed. More details on the installer instructions will be addressed later in this doc can be found at the [Install Connected Cache](#install-mcc) section. + :::image type="content" source="images/imcc10.png" alt-text="Available fields on the Create Cache Node page."::: - ![iMCC img14](images/imcc14.png) + > [!TIP] + > The information icon next to each field provides a description. + > + > :::image type="content" source="images/imcc11.png" alt-text="Create Cache Node page showing the description for the Server IP Address field."::: + + > [!NOTE] + > After you create the cache node, if you return to this page, it populates the values for the two read-only fields: + > + > | Field name | Description | + > |--|--| + > | **IP Space** | Number of IP addresses that will be routed to your cache server. | + > | **Activation Keys** | Set of keys to activate your cache node with the MCC services. Copy the keys for use during install. The CustomerID is your Azure subscription ID. | + +1. Enter the information to create the cache node, and then select **Create**. + + :::image type="content" source="images/imcc12.png" alt-text="Select 'Create' on the Create Cache Node page."::: + +If there are errors, the page gives you guidance on how to correct the errors. For example: + +- The cache node name is already in use in the resource or is an incorrect format. +- The CIDR block notation or list is incorrect. +- The server IP address or CIDR block is already in use. + +See the following example with all information entered: + +:::image type="content" source="images/imcc13.png" alt-text="Create Cache Node page with all information entered."::: + +Once you create the MCC node, it will display the installer instructions. For more information on the installer instructions, see the [Install Connected Cache](#install-mcc) section. + +:::image type="content" source="images/imcc14.png" alt-text="Cache node successfully created with Connected Cache installer instructions."::: ### IP address space approval -There are three states for IP address space that are explained in the table below. The preview will require approval from Microsoft CIDR block ranges that contain more than 50,000 IP addresses. In the future, MCC configuration will support BGP and will therefore have automatic routing capabilities. +There are three states for IP address space. MCC configuration supports BGP and has automatic routing capabilities. -| **IP address space status** | **Description** | -|------------------------|------------------------------------| -| **Valid** | The IP address space is below the 50,000 IP address space threshold and the space does not overlap with existing cache nodes. | -| **In Review** | The IP address space exceeds the 50,000 IP address space and is under review with Microsoft to ensure valid IP address space. | -| **Attention Required** | The IP address space has been reviewed and an issue was discovered. Some examples include: IP address space overlap with existing cache node belonging to another customer. IP address space was exceedingly large. Contact Microsoft for more information if your IP address space has this status. | +- **Valid**: The IP address space is approved. -See the following example: +- **In Review**: The IP address space is under review with Microsoft to ensure valid IP address space. -![iMCC img15](images/imcc15.png) +- **Attention Required**: The IP address space has been reviewed and an issue was discovered. For example: -## Edit Cache Node Information + - The IP address space overlaps with an existing cache node that belongs to another customer -IP address or CIDR information can be modified for existing MCC nodes in the portal. + - The IP address space was exceedingly large. -To edit IP address or CIDR information, click on the Cache Node Name which will open the Cache Node Configuration page. Cache nodes can be deleted here by clicking the check box to the left of a Cache Node Name and then clicking the delete toolbar item. Be aware that if a cache node is deleted, there is no way to recover the cache node or any of the information related to the cache node. + If your IP address space has this status, contact Microsoft for more information. -![iMCC img16](images/imcc16.png) +:::image type="content" source="images/imcc15.png" alt-text="A list of cache node names with example IP address space statuses."::: -The Server IP Address, Address Range/CIDR Blocks, and Enable Cache Node are all editable as show below: +## Edit cache node information -![iMCC img17](images/imcc17.png) +:::image type="content" source="images/imcc16.png" alt-text="Cache Nodes list in the Azure portal."::: -## Set up a server with SR or an Ubuntu +To modify the configuration for existing MCC nodes in the portal, select the cache node name in the cache nodes list. This action opens the **Cache Node Configuration** page. You can edit the **Server IP Address** or **Address Range/CIDR Blocks** field. You can also enable or disable the cache node. -The MCC module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. As discussed earlier, the recommended configuration (details below) will serve approximately 35,000 consumer devices downloading a 2GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +:::image type="content" source="images/imcc17.png" alt-text="Cache Node Configuration page, highlighting editable fields."::: -| | **Minimum** | **Recommended** | -|-------------|---------------------------------------------|----------------------------------------------------| -| **Server** | Ubuntu 20.04 LTS VM or physical server | Ubuntu 20.04 LTS VM or physical server (preferred) | -| **NIC** | 10 Gbps | 10 Gbps | -| **Disk** | SSD 1 – 2 drives minimum 2 TB each minimum | SSD 2 – 4 drives minimum 2 TB each minimum | -| **Memory** | 8 GB | 32 GB or more | -| **Cores** | 4 | 8 or more | +To delete a cache node, select it in the cache nodes list, and then select **Delete** in the toolbar. If you delete a cache node, there's no way to recover it or any of the information related to the cache node. ## Install MCC -Installing MCC on your physical server or VM is a straightforward process. A Bash script installer performs the following tasks: +To install MCC on your physical server or VM, you use a Bash script installer, which runs the following tasks: -- Azure IoT Edge relies on an OCI-compatible container runtime. The script - will install the Moby engine and CLI. -- Installs IoT Edge. -- Installs SSH to support remote access to the server -- Enables the firewall and opens port 80 for inbound and outbound traffic. Port 80 is used by MCC. -- Configures Connected Cache tuning settings. -- Creates the necessary *FREE* Azure resource - IoT Hub/IoT Edge. -- Deploys the MCC container to server. +- Installs the Moby engine and CLI. +- Installs IoT Edge. +- Installs SSH to support remote access to the server. +- Enables the firewall and opens port 80 for inbound and outbound traffic. The MCC uses port 80. +- Configures Connected Cache tuning settings. +- Creates the necessary free Azure resource: IoT Hub/IoT Edge. +- Deploys the MCC container to the server. > [!IMPORTANT] -> Ensure that port 5000 is open so Microsoft can verify proper functioning of the cache server +> Make sure that the following ports are open so that Microsoft can verify proper functionality of the cache server: +> +> - 80: content delivery +> - 179: BGP session +> - 443: IoT Edge secure communication +> - 5000: (optional) used to view locally running report +> - 5671: IoT Edge communication/container management +> - 8883: IoT Edge communication/container management ### Steps to install MCC -1. Download and unzip mccinstaller.zip from the create cache node page or cache node configuration page which contains the necessary installation files. +Before you start, make sure that you have a data drive configured on your server. You'll need to specify the location for this cache drive during this process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). - ![iMCC img18](images/imcc18.png) +1. From either **Create Cache Node** or **Cache Node Configuration** pages, select **Download Installer** to download the installer file. - Files contained in the mccinstaller.zip file: + :::image type="content" source="images/imcc18.png" alt-text="The Create Cache Node page highlighting the Download Installer action."::: - - **installmcc.sh** – main installer file. - - **installIotEdge.sh** – Installs the necessary prerequisites like IoT Edge runtime and Docker and makes necessary host OS settings to optimization caching performance. - - **resourceDeploymentForConnectedCache.sh** – Creates Azure cloud resources required to support MCC control plane. - - **mccdeployment.json** – Deployment manifest used by IoT Edge to deploy the MCC container and configure settings on the container like cache drives location sizes. + Unzip the **mccinstaller.zip** file, which includes the following installation files and folders: -2. Copy all 4 installation files to your Linux server (physical or VM) + - Diagnostics folder: Used to create diagnostics support bundle. + - **installmcc.sh**: Main installer file. + - **installIotEdge.sh**: Installs the necessary prerequisites. For example, IoT Edge runtime and Docker. It also makes necessary host OS settings to optimize caching performance. + - **resourceDeploymentForConnectedCache.sh**: Creates Azure cloud resources required to support the MCC control plane. + - **mccdeployment.json**: Deployment manifest used by IoT Edge to deploy the MCC container. It also configures settings on the container like cache drives location and sizes. + - **mccupdate.json** + - **packagever.txt** + - **uninstallmcc.sh**: Main uninstaller file. + - **updatemcc.sh**: Main update file. -3. Before proceeding, ensure that you have a data drive configured on your server. You'll need to specify the location for this cache drive on step 9. Mimimum size for the data drive is 100GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) +1. Copy all files to your Linux server. -4. Open a terminal and change the access permissions to execute on the **installmcc.sh** Bash script file using chmod. +1. Open a terminal window. Change the access permissions to execute on the **installmcc.sh** Bash script file using `chmod`. ```bash sudo chmod +x installmcc.sh ``` -5. Copy the Bash script line provided and run the Bash script from the terminal. +1. In the Azure portal, in the Connected Cache installer instructions, copy the cache node installer Bash script command. Run the Bash script from the terminal. - ![iMCC img19](images/imcc19.png) + :::image type="content" source="images/imcc19.png" alt-text="Copy the cache node installer Bash script in the Connected Cache installer instructions."::: -6. You'll be prompted to sign in to the Azure Portal using a device code. +1. Sign in to the Azure portal with a device code. - ![iMCC img20](images/imcc20.png) + :::image type="content" source="images/imcc20.png" alt-text="Bash script prompt to sign in to the Azure portal with a device code."::: -7. You'll be prompted to enter the Azure Container Registry (ACR) password for access to the MCC container. +1. Specify the number of drives to configure. Use an integer value less than 10. - ![iMCC img21](images/imcc21.png) + :::image type="content" source="images/imcc22.png" alt-text="Bash script prompt to enter the number of cache drives to configure."::: -8. You'll then be prompted with the number of drives to configure. +1. Specify the location of the cache drives. For example, `/datadrive/` - ![iMCC img22](images/imcc22.png) + :::image type="content" source="images/imcc23.png" alt-text="Bash script prompt to enter the location for cache drive."::: -9. The script will prompt for location and size of the cache drives. + > [!IMPORTANT] + > The script changes the permission and ownership on the cache drive to **everyone** with the command `chmod 777`. + > + > Don't point the cache drive to any of the following locations: + > + > - `.` + > - `./var` + > - `/` + > - `` + > + > Specifying any of these will corrupt the OS, and you'll need to re-install the image again. - ![iMCC img23](images/imcc23.png) +1. Specify an integer value as the size in GB for each cache drive. The minimum is `100` GB. -> [!IMPORTANT] -> The permissions / ownerships on the cache drive location will be changed to everyone via chmod 777
    -> **Don't** point the cache drive location to any of the following: “**.**”, “**./var**”, “**/**”, “**\**” + :::image type="content" source="images/imcc24.png" alt-text="Bash script prompt to enter the amount of space to allocate to the cache drive."::: -Specifying any of the directories mentioned above will corrupt the VM and you -will need to provision a new one. +1. Specify whether you have an existing IoT Hub. -![iMCC img24](images/imcc24.png) + - If this process is for your _first MCC deployment_, enter `n`. -1. If this is your first MCC deployment, select “n” when - prompted for an IoT Hub. If this is **not** your first MCC deployment, you - can use an existing IoT hub from your previous MCC installation. After - selecting “Y”, we will display your existing IoT Hubs, you can copy and - paste the resulting IoT Hub name to continue. + - If you already have a MCC deployment, you can use an existing IoT Hub from your previous installation. Select `Y` to see your existing IoT Hubs. You can copy and paste the resulting IoT Hub name to continue. - ![iMCC img25](images/imcc25.png) + :::image type="content" source="images/imcc25.png" alt-text="Bash script output with steps for existing IoT Hub."::: -2. If there are no errors go to the next step. +1. If you want to configure BGP, enter `y`. If you want to use manual entered prefixes for routing, enter `n` and skip to Step 16. You can always configure BGP at a later time using the Update Script. - - If there are errors, inspect the installer logs which are under /etc/mccresourcecreation/. - - If there were follow the instructions to [Troubleshoot your IoT Edge device(/azure/iot-edge/troubleshoot). + 1. Enter the number of BGP neighbors you want to configure. + 1. Enter the IP address for the neighbor. + 1. Enter the ASN corresponding to that neighbor. This value should be the same ASN as the MCC -iBGP connection. + 1. Repeat these steps for each neighbor you need to configure. -## Verify Proper Functioning MCC Server + > [!NOTE] + > With the BGP configuration, you're essentially setting up an iBGP neighbor in your public ASN. For example, when you initiate the BGP session from the router to the cache node, you would use your own ASN. + +1. BGP is now configured from the MCC side. From your end, establish a neighborship from your router to MCC's host machine. Use the IP address of the host machine that's running the MCC container. + + 1. Make sure there aren't any firewall rules blocking this connection. + 1. Verify that the BGP connection has been established and that you're advertising routes to the MCC. + 1. Wait five minutes to refresh the cache node page in the Azure portal to see the BGP routes. + +1. Confirm the update is complete by running the following command. + + ```bash + sudo iotedge list + ``` + + Make sure MCC is running on the latest version. If you only see **edgeAgent** and **edgeHub**, wait five minutes and run this command again. + +1. Make sure MCC is reachable. Replace `` with the IP address of your MCC or localhost. + + ```bash + wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com + ``` + +1. After you successfully complete the update, go to the Azure portal. To check the routes being reported, select **Download JSON**. + +1. To start routing using BGP, change the **Prefix Source** from **Manually Entered** to **Use BGP**. + + :::image type="content" source="images/imcc55.PNG" alt-text="Cache node configuration with the Prefix Source set to Use BGP."::: + + +1. If there are no errors, go to the next section to verify the MCC server. + + If there are errors: + + - Inspect the installer logs, which are in the following path: `/etc/mccresourcecreation/` + + - For more information, see [Troubleshoot your IoT Edge device](/azure/iot-edge/troubleshoot). + +## Verify properly functioning MCC server ### Verify client side -Sign in to the Connected Cache server or ssh and run the following command from a terminal to see the running modules (containers): +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): ```bash -sudo iotedge list​ +sudo iotedge list ``` -![iMCC img26](images/imcc26.png) +:::image type="content" source="images/imcc26.png" alt-text="Terminal output of iotedge list command, showing the running containers."::: -If **edgeAgent** and **8edgeHub** containers are listed, but not “MCC”, you may view the status of the IoTEdge security manager using the command: +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command provides the current status of the starting, stopping of a container, or the container pull and start as is shown in the sample below: +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: -![iMCC img27](images/imcc27.png) +:::image type="content" source="images/imcc27.png" alt-text="Terminal output of journalctl command for iotedge."::: ### Verify server side It can take a few minutes for the container to deploy. -For a validation of properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace \ with the IP address of the cache server. +To validate a properly functioning MCC, run the following command in the terminal of the cache server or any device in the network. Replace `` with the IP address of the cache server. ```bash wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com ``` -A successful test result will look like this: +The following screenshot shows a successful test result: -![iMCC img28](images/imcc28.png) +:::image type="content" source="images/imcc28.png" alt-text="Terminal output of successful test result with wget command to validate a MCC."::: -Similarly, enter the following URL into a web browser on the network: +Similarly, enter the following URL into a web browser on any device on the network: ```http http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com ``` -If the test fails, see the [common issues](#common-issues) section below for more information. +If the test fails, for more information, see the [common issues](#common-issues) section. ## Common Issues > [!NOTE] -> Consult the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot) for any issues you may encounter configuring IoT Edge. A few common issues are listed below. +> This section only lists common issues. For more information on additional issues you may encounter when configuring IoT Edge, see the [IoT Edge troubleshooting guide](/azure/iot-edge/troubleshoot). -Use the following command to check the IoT Edge Journal: +Use the following command to check the IoT Edge journal: ```bash -sudo journalctl -u iotedge –f +sudo journalctl -u iotedge -f ``` -## DNS needs to be configured +### DNS needs to be configured -Run the following IoT Edge setup/install state check: +Run the following IoT Edge install state check: ```bash sudo iotedge check --verbose ``` -If you see issues with ports 5671, 443, and 8883 similar to the screenshot below, it means that your IoT Edge device needs to update the DNS for Docker. +If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker. -![iMCC img29](images/imcc29.png) +To configure the device to work with your DNS, use the following steps: -Follow the steps below to configure the device to work with your DNS: - -1. Use ifconfig to find appropriate NIC adapter name. +1. Use `ifconfig` to find the appropriate NIC adapter name. ```bash - ifconfig​ + ifconfig ``` -2. Run nmcli device show \ to show you the DNS name for Ethernet adapter. For example to show DNS - information for eno1: + +1. Run `nmcli device show ` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**: ```bash nmcli device show eno1 - ``` - - ![iMCC img30](images/imcc30.png) - -3. Open/create the Docker configuration file used to configure the DNS server - - ```bash - sudo nano /etc/docker/daemon.json​ ``` -4. Paste the following into the daemon.json file (In the example above IP4.DNS[1] is used) + :::image type="content" source="images/imcc30.png" alt-text="Sample output of nmcli command to show network adapter information."::: + +1. Open or create the Docker configuration file used to configure the DNS server. + + ```bash + sudo nano /etc/docker/daemon.json + ``` + +1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`. ```bash { "dns": ["x.x.x.x"]} ``` -5. Save the file changes to daemon.json. **Note**: You might need to change permissions on this file. For example: + +1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command: ```bash - sudo chmod 555 /etc/docker/daemon.json​ + sudo chmod 555 /etc/docker/daemon.json ``` -6. Restart Docker (to pick up the new DNS) and restart IoTEdge - +1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge. + ```bash - sudo systemctl restart dockersudo systemctl daemon-reloadsudo restart IoTEdge + sudo systemctl restart docker + sudo systemctl daemon-reload + sudo restart IoTEdge ``` -## Diagnostics Script +### Diagnostics script -If you're having issues with your MCC, we included a diagnostics script which will collect all your logs and zip them into a single file. You can then send us these logs via email for the MCC team to debug. +If you're having issues with your MCC, the installer file includes a diagnostics script. The script collects all logs and zips them into a single file. You can then email these logs to Microsoft. -To run this script: +To run the script: -1. Navigate to the following folder in the MCC installation files: +1. Navigate to the following folder in the MCC installation files: -**mccinstaller** \> **MccResourceInstall** \> **Diagnostics** + `mccinstaller > MccResourceInstall > Diagnostics` -2. Run the following commands: +1. Run the following commands: ```bash sudo chmod +x collectMccDiagnostics.sh sudo ./collectMccDiagnostics.sh ``` -3. The script stores all the debug files into a folder and the creates a tar file. After the script is finished running, it will output the path of the tar file that you can share with the MCC team. The file should be **/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz**. -4. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during out debugging process. +1. The script stores all the debug files into a folder and creates a tar file. After the script is finished running, it displays the path of the tar file that you can share with the MCC team. The file should be `/etc/mccdiagnostics/support_bundle_\$timestamp.tar.gz` + +1. [Email the MCC team](mailto:msconnectedcache@microsoft.com?subject=Debugging%20Support%20Request%20for%20MCC) and attach this tar file, asking for debugging support. Screenshots of the error along with any other warnings you saw will be helpful during the debugging process. ## Updating your MCC -Throughout the private preview phase, we will send you security and feature updates for MCC. Please follow these steps to perform the update. +Throughout the private preview phase, Microsoft will release security and feature updates for MCC. Follow these steps to update your MCC. -Run the following commands with the **arguments** we provided in the email to update your MCC: +Run the following commands, replacing the variables with the values provided in the email to update your MCC: ```bash sudo chmod +x updatemcc.sh sudo chmod +x installIoTEdge.sh -sudo ./updatemcc.sh version="\<**VERSION**\>" tenantid="\<**TENANTID**\>" customerid="\<**CUSTOMERID**\>" cachenodeid="\<**CACHENODEID**\>" customerkey="\<**CUSTOMERKEY**\>" +sudo ./updatemcc.sh version="" tenantid="" customerid="" cachenodeid="" customerkey="" ``` For example: + ```bash -sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa” +sudo ./updatemcc.sh version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.981" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99aa" ``` +### Configure BGP on an Existing MCC + +If you have a MCC that's already active and running, follow the steps below to configure BGP. + +1. Run the Update commands as described above. + +1. Sign in with your Azure credentials using the device code. + +1. To finish configuring your MCC with BGP routing, continue from Step 10 of [Steps to Install MCC](#steps-to-install-mcc). + ## Uninstalling MCC -In the zip file, you'll find the file **uninstallmcc.sh** which uninstalls MCC and all the related components. Please contact the MCC Team before running this script and only run this script if you're facing issues with MCC installation. **Exercise caution before running this script as existing IoT workflows in this VM will also be erased.** +In the installer zip file, you'll find the file **uninstallmcc.sh**. This script uninstalls MCC and all the related components. Before you run this script, contact the MCC team. Only run it if you're facing issues with MCC installation. -The **uninstallmcc.sh** script will remove the following: +> [!WARNING] +> Be cautious before running this script. It will also erase existing IoT workflows in this VM. + +The **uninstallmcc.sh** script removes the following components: - IoT Edge - Edge Agent - Edge Hub - MCC - Moby CLI -- Moby Engine +- Moby engine -To run the script, enter the following commands: +To run the script, use the following commands: ```bash sudo chmod +x uninstallmcc.sh sudo ./uninstallmcc.sh ``` + ## Appendix -### Steps to obtain an Azure Subscription ID +### Steps to obtain an Azure subscription ID -1. Sign in to https://portal.azure.com/ and navigate to the Azure services section. -2. Click on **Subscriptions**. If you don't see **Subscriptions**, click on the **More Services** arrow and search for **Subscriptions**. -3. If you already have an Azure Subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. -4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you'll not be charged for using the MCC service. -5. On the **Subscriptions** blade, you'll find details about your current subscription. Click on the subscription name. -6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. Click on the **Copy to clipboard** icon next to your Subscription ID to copy the value. +1. Sign in to the [Azure portal](https://portal.azure.com/) and go to the **Azure services** section. -### Performance of MCC in Hypervisor environments +2. Select **Subscriptions**. If you don't see **Subscriptions**, select the **More Services** arrow and search for **Subscriptions**. -We have observed in hypervisor environments the cache server peak egress at around 1.1 Gbps. If you wish to maximize the egress in hypervisor environments it is critical to make two settings changes. +3. If you already have an Azure subscription, skip to step 5. If you don't have an Azure Subscription, select **+ Add** on the top left. -1. Enable **SR-IOV** in the BIOS AND enable **SR-IOV** in the NIC properties, and finally, enable **SR-IOV** in the hypervisors for the MCC VM. Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. +4. Select the **Pay-As-You-Go** subscription. You'll be asked to enter credit card information, but you won't be charged for using the MCC service. -2. Enable “high performance” in the BIOS as opposed to energy savings. Microsoft has found this setting nearly doubled egress a Microsoft Hyper-V deployment. +5. On the **Subscriptions** section, you'll find details about your current subscription. Select the subscription name. + +6. After you select the subscription name, you'll find the subscription ID in the **Overview** tab. To copy the value, select the **Copy to clipboard** icon next to your subscription ID. + +### Performance of MCC in virtual environments + +In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change the following two settings: + +1. Enable **SR-IOV** in the following three locations: + + - The BIOS of the MCC VM + - The MCC VM's network card properties + - The hypervisor for the MCC VM + + Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. + +2. Enable "high performance" in the BIOS instead of energy savings. Microsoft has found this setting nearly doubled egress in a Microsoft Hyper-V deployment. + +### Grant other users access to manage your MCC + +More users can be given access to manage Microsoft Connected Cache, even if they don't have an Azure account. Once you've created the first cache node in the portal, you can add other users as **Owners** of the Microsoft Connected Cache resource group and the Microsoft Connected Cache resource. + +For more information on how to add other users as an owner, see [Grant a user access to Azure resources using the Azure portal](/azure/role-based-access-control/quickstart-assign-role-user-portal). Make sure to do this action for both the _MCC resource_ and _MCC resource group_. ### Setting up a VM on Windows Server You can use hardware that will natively run Ubuntu 20.04 LTS, or you can run an Ubuntu VM. The following steps describe how to set up a VM on Hyper-V. -1. Download the ISO. You can use either Ubuntu Desktop or Ubuntu Server. +1. Download the ISO. You can use either Ubuntu Desktop or Ubuntu Server. - 1. [Download Ubuntu Desktop](https://ubuntu.com/download/desktop) - 2. [Download Ubuntu Server](https://mirror.cs.jmu.edu/pub/ubuntu-iso/20.04.2/ubuntu-20.04.2-live-server-amd64.iso) + - [Download Ubuntu Desktop](https://ubuntu.com/download/desktop) + - [Download Ubuntu Server](https://mirror.cs.jmu.edu/pub/ubuntu-iso/20.04.2/ubuntu-20.04.2-live-server-amd64.iso) -2. Start the **New Virtual Machine Wizard**, give your VM a name, and choose a location. - - ![iMCC img31](images/imcc31.png) - ![iMCC img32](images/imcc32.png) +1. Start the **New Virtual Machine Wizard** in Hyper-V. -3. Choose a **Generation 2** VM, and specify the startup memory. You can't change the VM generation 2 later. - - ![iMCC img33](images/imcc33.png) - ![iMCC img34](images/imcc34.png) + :::image type="content" source="images/imcc31.png" alt-text="The Before You Begin page of the Hyper-V New Virtual Machine Wizard."::: -4. Choose the network adapter. - - ![iMCC img35](images/imcc35.png) +1. Specify a name and choose a location. -5. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. That example below allocates one terabyte. - - ![iMCC img36](images/imcc36.png) + :::image type="content" source="images/imcc32.png" alt-text="The Specify Name and Location page of the Hyper-V New Virtual Machine Wizard."::: -6. Install from the ISO for Ubuntu 20.04 LTS that you downloaded. - - ![iMCC img37](images/imcc37.png) +1. Select **Generation 2**. You can't change this setting later. -7. Finish the creation of the Ubuntu VM. - - ![iMCC img38](images/imcc38.png) + :::image type="content" source="images/imcc33.png" alt-text="The Specify Generation page of the Hyper-V New Virtual Machine Wizard."::: -8. Before you start the Ubuntu VM make sure secure boot is **disabled** and that you have allocated multiple cores to the VM. The example below has allocated 12, but your configuration may vary. - - ![iMCC img39](images/imcc39.png) - ![iMCC img40](images/imcc40.png) - ![iMCC img41](images/imcc41.png) +1. Specify the startup memory. -9. Start the VM and choose the option that will Install Ubuntu. Choose your default language. - - ![iMCC img42](images/imcc42.png) - ![iMCC img43](images/imcc43.png) + :::image type="content" source="images/imcc34.png" alt-text="The Assign Memory page of the Hyper-V New Virtual Machine Wizard."::: -10. Choose the options you wish for installing updates and third party hardware. In the example below, we have chosen to download updates and install - third party software drivers. - - ![iMCC img44](images/imcc44.png) +1. Choose the network adapter connection. -11. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. Choose your time zone, and keyboard layout. - - ![iMCC img45](images/imcc45.png) - ![iMCC img46](images/imcc46.png) - ![iMCC img47](images/imcc47.png) - ![iMCC img48](images/imcc48.png) + :::image type="content" source="images/imcc35.png" alt-text="The Configure Networking page of the Hyper-V New Virtual Machine Wizard."::: -12. Choose your username, a name for your computer, and a password. Remember, everything is case sensitive in Linux. You'll be asked to reboot in order to complete the installation. - - ![iMCC img49](images/imcc49.png) - ![iMCC img50](images/imcc50.png) +1. Set the virtual hard disk parameters. You should specify enough space for the OS and the content that will be cached. For example, `1024` GB is 1 terabyte. -13. **Important**: When prompted with the option to upgrade, decline. + :::image type="content" source="images/imcc36.png" alt-text="The Connect Virtual Hard Disk page of the Hyper-V New Virtual Machine Wizard."::: - ![iMCC img51](images/imcc51.png) - ![iMCC img52](images/imcc52.png) +1. Select **Install an OS from a bootable image file** and browse to the ISO for Ubuntu 20.04 LTS that you previously downloaded. -Your Ubuntu VM should now be ready to [Install MCC](#install-mcc). + :::image type="content" source="images/imcc37.png" alt-text="The Installation Options page of the Hyper-V New Virtual Machine Wizard."::: + +1. Review the settings and select **Finish** to create the Ubuntu VM. + + :::image type="content" source="images/imcc38.png" alt-text="Completing the New Virtual Machine Wizard on Hyper-V."::: + +1. Before you start the Ubuntu VM, disable **Secure Boot** and allocate multiple cores to the VM. + + 1. In Hyper-V Manager, open the **Settings** for the VM. + + :::image type="content" source="images/imcc39.png" alt-text="Open Settings for a VM in Hyper-V Manager."::: + + 1. Select **Security**. Disable the option to **Enable Secure Boot**. + + :::image type="content" source="images/imcc40.png" alt-text="Security page of VM settings in Hyper-V Manager."::: + + 1. Select **Processor**. Increase the number of virtual processors. This example shows `12`, but your configuration may vary. + + :::image type="content" source="images/imcc41.png" alt-text="Processor page of VM settings in Hyper-V Manager."::: + +1. Start the VM and select **Install Ubuntu**. + + :::image type="content" source="images/imcc42.png" alt-text="GNU GRUB screen, select Install Ubuntu."::: + +1. Choose your default language. + + :::image type="content" source="images/imcc43.png" alt-text="Ubuntu install, Welcome page, select language."::: + +1. Choose the options for installing updates and third party hardware. For example, download updates and install third party software drivers. + +1. Select **Erase disk and install Ubuntu**. If you had a previous version of Ubuntu installed, we recommend erasing and installing Ubuntu 16.04. + + :::image type="content" source="images/imcc45.png" alt-text="Ubuntu install, Installation type page, Erase disk and install Ubuntu."::: + + Review the warning about writing changes to disk, and select **Continue**. + + :::image type="content" source="images/imcc46.png" alt-text="Ubuntu install, 'Write the changes to disks' warning."::: + +1. Choose the time zone. + + :::image type="content" source="images/imcc47.png" alt-text="Ubuntu install, 'Where are you page' to specify time zone."::: + +1. Choose the keyboard layout. + + :::image type="content" source="images/imcc48.png" alt-text="Ubuntu install, Keyboard layout page."::: + +1. Specify your name, a name for the computer, a username, and a strong password. Select the option to **Require my password to log in**. + + > [!TIP] + > Everything is case sensitive in Linux. + + :::image type="content" source="images/imcc50.png" alt-text="Ubuntu install, 'Who are you' screen."::: + +1. To complete the installation, select **Restart now**. + + :::image type="content" source="images/imcc51.png" alt-text="Ubuntu install, installation complete, restart now."::: + +1. After the computer restarts, sign in with the username and password. + + > [!IMPORTANT] + > If it shows that an upgrade is available, select **Don't upgrade**. + > + > :::image type="content" source="images/imcc52.png" alt-text="Ubuntu install, Upgrade Available prompt, Don't Upgrade."::: + +Your Ubuntu VM is now ready to [Install MCC](#install-mcc). ### IoT Edge runtime -The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. The runtime sits on the IoT Edge device, and performs management and communication operations. The runtime performs several functions: +The Azure IoT Edge runtime enables custom and cloud logic on IoT Edge devices. The runtime sits on the IoT Edge device, and does management and communication operations. The runtime does the following functions: -- Installs and update workloads (Docker containers) on the device. -- Maintains Azure IoT Edge security standards on the device. -- Ensures that IoT Edge modules (Docker containers) are always running. -- Reports module (Docker containers) health to the cloud for remote - monitoring. -- Manages communication between an IoT Edge device and the cloud. +- Installs and updates workloads (Docker containers) on the device. +- Maintains Azure IoT Edge security standards on the device. +- Makes sure that IoT Edge modules (Docker containers) are always running. +- Reports module (Docker containers) health to the cloud for remote monitoring. +- Manages communication between an IoT Edge device and the cloud. -For more information on Azure IoT Edge, please see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). +For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Also see +## Related articles + +[Microsoft Connected Cache for enterprise and education](mcc-enterprise.md) -[Microsoft Connected Cache for Enterprise and Education](mcc-enterprise.md)
    [Introducing Microsoft Connected Cache](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/introducing-microsoft-connected-cache-microsoft-s-cloud-managed/ba-p/963898) diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 5408351bda..19d12f832c 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -104,162 +104,10 @@ To do this in Group Policy, go to **Computer Configuration\Administrative Templa To do this with MDM, go to **.Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set DOMaxCacheAge to 7 or more (up to 30 days). -[//]: # (material about "preferred" devices; remove MinQos/MaxCacheAge; table format?) -## Monitor Delivery Optimization + +[!INCLUDE [Monitor Delivery Optimization](includes/waas-delivery-optimization-monitor.md)] -[//]: # (How to tell if it's working? What values are reasonable; which are not? If not, which way to adjust and how? -- check PercentPeerCaching for files > minimum >= 50%) - -### Windows PowerShell cmdlets - -**Starting in Windows 10, version 1703**, you can use new PowerShell cmdlets to check the performance of Delivery Optimization. - -#### Analyze usage - -`Get-DeliveryOptimizationStatus` returns a real-time snapshot of all current Delivery Optimization jobs. - -| Key | Value | -| --- | --- | -| File ID | A GUID that identifies the file being processed | -| FileSize | Size of the file | -| FileSizeInCache | Size of the file in the cache | -| TotalBytesDownloaded | The number of bytes from any source downloaded so far | -| PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | -| BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP | -| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | -| Priority | Priority of the download; values are **foreground** or **background** | -| BytesFromCacheServer | Total number of bytes received from cache server | -| BytesFromLanPeers | Total number of bytes received from peers found on the LAN | -| BytesFromGroupPeers | Total number of bytes received from peers found in the group | -| BytesFromInternetPeers | Total number of bytes received from internet peers | -| BytesToLanPeers | Total number of bytes delivered from peers found on the LAN | -| BytesToGroupPeers | Total number of bytes delivered from peers found in the group | -| BytesToInternetPeers | Total number of bytes delivered from peers found on the LAN | -| DownloadDuration | Total download time in seconds | -| HttpConnectionCount | | -| LanConnectionCount | | -| GroupConnectionCount | | -| InternetConnectionCount | | -| DownloadMode | | -| SourceURL | Http source for the file | -| CacheHost | IP address for the cache server | -| NumPeers | Indicates the total number of peers returned from the service. | -| PredefinedCallerApplication | Indicates the last caller that initiated a request for the file. | -| ExpireOn | The target expiration date and time for the file. | -| IsPinned | A yes/no value indicating whether an item has been "pinned" in the cache (see `setDeliveryOptmizationStatus`). | - -`Get-DeliveryOptimizationPerfSnap` returns a list of key performance data: - -| Key | Value | -| --- | --- | -| FilesDownloaded | Number of files downloaded | -| FilesUploaded | Number of files uploaded | -| Files | | -| TotalBytesDownloaded | Total bytes downloaded | -| TotalBytesUploaded | Total bytes uploaded | -| AverageDownloadSize | Average transfer size (download); that is, the number bytes downloaded divided by the number of files | -| AverageUploadSize | Average transfer size (upload); the number of bytes uploaded divided by the number of files | -| DownloadMode | Delivery Optimization Download mode used to deliver file | -| CacheSizeBytes | | -| TotalDiskBytes | | -| AvailableDiskBytes | | -| CpuUsagePct | | -| MemUsageKB | | -| NumberOfPeers | | -| CacheHostConnections | | -| CdnConnections | | -| LanConnections | | -| LinkLocalConnections | | -| GroupConnections | | -| InternetConnections | | -| DownlinkBps | | -| DownlinkUsageBps | | -| UplinkBps | | -| UplinkUsageBps | | -| ForegroundDownloadRatePct | | -| BackgroundDownloadRatePct | | -| UploadRatePct | | -| UplinkUsageBps | | -| ForegroundDownloadRatePct | | -| BackgroundDownloadRatePct | | -| UploadRatePct | | -| UploadCount | | -| ForegroundDownloadCount | | -| ForegroundDownloadsPending | | -| BackgroundDownloadCount | | -| BackgroundDownloadsPending | | - -Using the `-Verbose` option returns additional information: - -- Bytes from peers (per type) -- Bytes from CDN (the number of bytes received over HTTP) -- Average number of peer connections per download - -**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. - -Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. - -#### Manage the Delivery Optimization cache - -**Starting in Windows 10, version 1903:** - -`set-DeliveryOptimizationStatus -ExpireOn [date time]` extends the expiration of all files in the cache. You can set the expiration immediately for all files that are in the "caching" state. For files in progress ("downloading"), the expiration is applied once the download is complete. You can set the expiration up to one year from the current date and time. - -`set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. - -You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. - -`set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. - -`set-DeliveryOptimizationStatus -Pin [False] -File ID [FileID]` "unpins" a file, so that it will be deleted when the expiration date and time are reached. The file is included in the cache quota calculation. - -`delete-DeliveryOptimizationCache` lets you clear files from the cache and remove all persisted data related to them. You can use these options with this cmdlet: - -- `-FileID` specifies a particular file to delete. -- `-IncludePinnedFiles` deletes all files that are pinned. -- `-Force` deletes the cache with no prompts. - -#### Work with Delivery Optimization logs - -**Starting in Windows 10, version 2004:** - -- `Enable-DeliveryOptimizationVerboseLogs` -- `Disable-DeliveryOptimizationVerboseLogs` - -- `Get-DeliveryOptimizationLogAnalysis [ETL Logfile path] [-ListConnections]` - -With no options, this cmdlet returns these data: - -- total number of files -- number of foreground files -- minimum file size for it to be cached -- number of eligible (larger than the minimum size for peering) files -- number of files that found peers -- number of peering files (the number of files that got at least 1 byte from peers) -- overall efficiency -- efficiency in the peered files - -Using the `-ListConnections` option returns these details about peers: - -- destination IP address -- peer type -- status code -- bytes sent -- bytes received -- file ID - -**Starting in Windows 10, version 1803:** - -`Get-DeliveryOptimizationLog [-Path ] [-Flush]` - -If `Path` is not specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. - -Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. - -[//]: # (section on what to look for in logs, list of peers, connection failures) - -[//]: # (possibly move to Troubleshooting) ### Monitor with Update Compliance diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 25a9c49bfe..9e46d92c6b 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -41,9 +41,9 @@ The following table lists the minimum Windows 10 version that supports Delivery | Device type | Minimum Windows version |------------------|---------------| -| Computers running Windows 10 | Win 10 1511 | +| Computers running Windows 10 | Windows 10 1511 | | Computers running Server Core installations of Windows Server | Windows Server 2019 | -| Windows IoT devices | Win 10 1803 | +| Windows IoT devices | Windows 10 1803 | ### Types of download content supported by Delivery Optimization @@ -51,19 +51,19 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |------------------|---------------|----------------|----------|----------------| -| Windows Update (feature updates quality updates, language packs, drivers) | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Windows 10 Store files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Windows 10 Store for Business files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Windows Defender definition updates | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Intune Win32 apps| Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Microsoft 365 Apps and updates | Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Edge Browser Updates | Win 10 1809, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Configuration Manager Express updates| Win 10 1709 + Configuration Manager version Win 10 1711, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Dynamic updates| Win 10 1903, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| MDM Agent | Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Xbox Game Pass (PC) | Win 10 1809, Win 11 | :heavy_check_mark: | | :heavy_check_mark: | -| Windows Package Manager| Win 10 1809, Win 11 | :heavy_check_mark: | | | -| MSIX | Win 10 2004, Win 11 | :heavy_check_mark: | | | +| Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store for Business files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Edge Browser Updates | Windows 10 1809, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Configuration Manager Express updates| Windows 10 1709 + Configuration Manager version Windows 10 1711, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Dynamic updates| Windows 10 1903, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| MDM Agent | Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Xbox Game Pass (PC) | Windows 10 1809, Windows 11 | :heavy_check_mark: | | :heavy_check_mark: | +| Windows Package Manager| Windows 10 1809, Windows 11 | :heavy_check_mark: | | | +| MSIX | Windows 10 2004, Windows 11 | :heavy_check_mark: | | | #### Windows Server diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index febbb80275..051bc90e0d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -1,21 +1,22 @@ --- title: Windows 10 features we're no longer developing -description: Review the list of features that are no longer being developed in Windows 10 +description: Review the list of features that are no longer being developed in Windows 10. ms.prod: w10 -ms.mktglfcycl: plan +ms.technology: windows ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby +ms.reviewer: ms.topic: article ms.collection: highpri --- # Windows 10 features we're no longer developing -> Applies to: Windows 10 +_Applies to:_ + +- Windows 10 Each version of Windows 10 adds new features and functionality; occasionally we also remove features and functionality, often because we've added a better option. Below are the details about the features and functionalities that are no longer being developed in Windows 10. For information about features that have been removed, see [Features we removed](windows-10-removed-features.md). @@ -25,38 +26,38 @@ The features described below are no longer being actively developed, and might b **The following list is subject to change and might not include every affected feature or functionality.** -> [!NOTE] -> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). +> [!NOTE] +> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app). |Feature | Details and mitigation | Announced in version | | ----------- | --------------------- | ---- | -| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
    Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.
    The following items might not be available in a future release of Windows client:
    - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
    - Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
    - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
    - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | +| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.**
    Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.
    The following items might not be available in a future release of Windows client:
    - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
    - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
    - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
    - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 | | Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 | | Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 | -| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 | -| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you'll no longer have the option to upload new activity in Timeline. See [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 | +| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 General Availability Channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself isn't affected. | 21H1 | +| Timeline | Starting in July 2021, if you have your activity history synced across your devices through your Microsoft account (MSA), you can't upload new activity in Timeline. For more information, see [Get help with timeline](https://support.microsoft.com/windows/get-help-with-timeline-febc28db-034c-d2b0-3bbe-79aa0c501039).| 20H2 | | Microsoft Edge | The legacy version of Microsoft Edge is no longer being developed.| 2004 | | Companion Device Framework | The [Companion Device Framework](/windows-hardware/design/device-experiences/windows-hello-companion-device-framework) is no longer under active development.| 2004 | | Dynamic Disks | The [Dynamic Disks](/windows/win32/fileio/basic-and-dynamic-disks#dynamic-disks) feature is no longer being developed. This feature will be fully replaced by [Storage Spaces](/windows-server/storage/storage-spaces/overview) in a future release.| 2004 | | Language Community tab in Feedback Hub | The Language Community tab will be removed from the Feedback Hub. The standard feedback process: [Feedback Hub - Feedback](feedback-hub://?newFeedback=true&feedbackType=2) is the recommended way to provide translation feedback. | 1909 | | My People / People in the Shell | My People is no longer being developed. It may be removed in a future update. | 1909 | -| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
     
    The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web. | 1909 | -| XDDM-based remote display driver | Starting with this release, the Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | +| Package State Roaming (PSR) | PSR will be removed in a future update. PSR allows non-Microsoft developers to access roaming data on devices, enabling developers of UWP applications to write data to Windows and synchronize it to other instantiations of Windows for that user.
     
    The recommended replacement for PSR is [Azure App Service](/azure/app-service/). Azure App Service is widely supported, well documented, reliable, and supports cross-platform/cross-ecosystem scenarios such as iOS, Android and web.
     
    PSR was removed in Windows 11.| 1909 | +| XDDM-based remote display driver | The Remote Desktop Services uses a Windows Display Driver Model (WDDM) based Indirect Display Driver (IDD) for a single session remote desktop. The support for Windows 2000 Display Driver Model (XDDM) based remote display drivers will be removed in a future release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, check out [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 1903 | | Taskbar settings roaming | Roaming of taskbar settings is no longer being developed and we plan to remove this capability in a future release. | 1903 | -| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which are not as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | -| Windows To Go | Windows To Go is no longer being developed.

    The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | -| Print 3D app | Going forward, 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | -|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | +| Wi-Fi WEP and TKIP | Since the 1903 release, a warning message has appeared when connecting to Wi-Fi networks secured with WEP or TKIP (which aren't as secure as those using WPA2 or WPA3). In a future release, any connection to a Wi-Fi network using these old ciphers will be disallowed. Wi-Fi routers should be updated to use AES ciphers, available with WPA2 or WPA3. | 1903 | +| Windows To Go | Windows To Go is no longer being developed.

    The feature doesn't support feature updates and therefore doesn't enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs.| 1903 | +| Print 3D app | 3D Builder is the recommended 3D printing app. To 3D print objects on new Windows devices, customers must first install 3D Builder from the Store.| 1903 | +|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this reason, and because non-Microsoft partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.| 1809 | |OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.| 1809 | -|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 | +|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97). It provides the same screen snipping abilities plus other features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the "Screen snip" button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.| 1809 | |[Software Restriction Policies](/windows-server/identity/software-restriction-policies/software-restriction-policies) in Group Policy|Instead of using the Software Restriction Policies through Group Policy, you can use [AppLocker](/windows/security/threat-protection/applocker/applocker-overview) or [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control) to control which apps users can access and what code can run in the kernel.| 1803 | |[Offline symbol packages](/windows-hardware/drivers/debugger/debugger-download-symbols) (Debug symbol MSIs)|We're no longer making the symbol packages available as a downloadable MSI. Instead, the [Microsoft Symbol Server is moving to be an Azure-based symbol store](/archive/blogs/windbg/update-on-microsofts-symbol-server). If you need the Windows symbols, connect to the Microsoft Symbol Server to cache your symbols locally or use a manifest file with SymChk.exe on a computer with internet access.| 1803 | -|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. If for any reason you see an error message about "help not supported," possibly when using a non-Microsoft application, read [this support article](https://support.microsoft.com/help/917607/error-opening-help-in-windows-based-programs-feature-not-included-or-h) for additional information and any next steps.| 1803 | +|Windows Help Viewer (WinHlp32.exe)|All Windows help information is [available online](https://support.microsoft.com/products/windows?os=windows-10). The Windows Help Viewer is no longer supported in Windows 10. For more information, see [Error opening Help in Windows-based programs: "Feature not included" or "Help not supported"](https://support.microsoft.com/topic/error-opening-help-in-windows-based-programs-feature-not-included-or-help-not-supported-3c841463-d67c-6062-0ee7-1a149da3973b).| 1803 | |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. For more information, see [Developer guide for creating service metadata](/windows-hardware/drivers/mobilebroadband/developer-guide-for-creating-service-metadata) | 1803 | |Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](/previous-versions/windows/desktop/wincontacts/-wincontacts-entry-point). Instead, you can use the People app in Windows 10 to maintain your contacts.| 1803 | |Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.| 1803 | -|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803, and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.| 1803 | -|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers has not been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.| 1803 | +|IPv4/6 Transition Technologies (6to4, ISATAP, Teredo, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), Teredo has been disabled since Windows 10, version 1803. The Direct Tunnels feature has always been disabled by default. Use native IPv6 support instead.| 1803 | +|[Layered Service Providers](/windows/win32/winsock/categorizing-layered-service-providers-and-applications)|Layered Service Providers haven't been developed since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to reinstall them after upgrading.| 1803 | |Business Scanning| This feature is also called Distributed Scan Management (DSM) **(Added 05/03/2018)**
     
    The [Scan Management functionality](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124(v=ws.11)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.| 1803 | |IIS 6 Management Compatibility* | We recommend that users use alternative scripting tools and a newer management console. | 1709 | |IIS Digest Authentication | We recommend that users use alternative authentication methods.| 1709 | @@ -64,15 +65,15 @@ The features described below are no longer being actively developed, and might b |Screen saver functionality in Themes | Disabled in Themes. Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lock screen features and policies are preferred. | 1709 | |Sync your settings (updated: August 17, 2017) | Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The **Sync your settings** options and the Enterprise State Roaming feature will continue to work. | 1709 | |System Image Backup (SIB) Solution | We recommend that users use full-disk backup solutions from other vendors. | 1709 | -|TLS RC4 Ciphers |To be disabled by default. For more information, see the following Windows IT Center topic: [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 | +|TLS RC4 Ciphers |To be disabled by default. For more information, see [TLS (Schannel SSP) changes in Windows 10 and Windows Server 2016](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server)| 1709 | |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 | -|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | +|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | -|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | +|Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | |Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | -|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and should not be used. | 1703 | -|wusa.exe /uninstall /kb:####### /quiet|The wusa usage to quietly uninstall an update has been deprecated. The uninstall command with /quiet switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
    Applies to Windows Server 2016 and Windows Server 2019 as well.| +|IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 | +|`wusa.exe /uninstall /kb:####### /quiet`|The `wusa` tool usage to quietly uninstall an update has been deprecated. The uninstall command with `/quiet` switch fails with event ID 8 in the Setup event log. Uninstalling updates quietly could be a security risk because malicious software could quietly uninstall an update in the background without user intervention.|1507
    Applies to Windows Server 2016 and Windows Server 2019.| diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 7459c71de0..6aae1788d5 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -134,14 +134,14 @@ Deployment scheduling controls are always available, but to take advantage of th To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. -| Policy | Sets registry key under **HKLM\\Software** | -|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| -| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing | -| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | +| Policy| Sets registry key under `HKLM\Software`| +|--|--| +| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | `\Policies\Microsoft\Windows\DataCollection\AllowWUfBCloudProcessing` | +| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | `\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` | Following is an example of setting the policy using Microsoft Endpoint Manager: -1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices** > **Configuration profiles** > **Create profile**. @@ -162,7 +162,7 @@ Following is an example of setting the policy using Microsoft Endpoint Manager: 8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing** + `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\System\AllowWUfBCloudProcessing` ## Best practices Follow these suggestions for the best results with the service. diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md index f666a097be..5b943421e5 100644 --- a/windows/deployment/update/how-windows-update-works.md +++ b/windows/deployment/update/how-windows-update-works.md @@ -99,7 +99,7 @@ For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP] > [!Note] > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior. -For WU URLs that _aren't_ used for update detection, such as for download or reporting: +For Windows Update URLs that _aren't_ used for update detection, such as for download or reporting: - User proxy is attempted. - If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted. @@ -116,7 +116,7 @@ For WU URLs that _aren't_ used for update detection, such as for download or rep |Service|ServiceId| |-------|---------| -|Unspecified / Default|WU, MU, or WSUS
    00000000-0000-0000-0000-000000000000 | +|Unspecified / Default|Windows Update, Microsoft Update, or WSUS
    00000000-0000-0000-0000-000000000000 | |Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77| |Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d| |Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| diff --git a/windows/deployment/update/includes/update-compliance-endpoints.md b/windows/deployment/update/includes/update-compliance-endpoints.md new file mode 100644 index 0000000000..864f4d38dd --- /dev/null +++ b/windows/deployment/update/includes/update-compliance-endpoints.md @@ -0,0 +1,25 @@ +--- +author: mestew +ms.author: mstewart +manager: dougeby +ms.prod: w10 +ms.collection: M365-modern-desktop +ms.mktglfcycl: deploy +audience: itpro +ms.topic: include +ms.date: 04/06/2022 +ms.localizationpriority: medium +--- + + +Devices must be able to contact the following endpoints in order to authenticate and send diagnostic data: + +| **Endpoint** | **Function** | +|---------------------------------------------------------|-----------| +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive most information for Update Compliance. | +| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | +| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | +| `https://adl.windows.com` | Required for Windows Update functionality. | +| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | +| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors if there are certain crashes. | +| `https://login.live.com` | This endpoint facilitates your Microsoft account access and is required to create the primary identifier we use for devices. Without this service, devices won't be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | diff --git a/windows/deployment/update/media/37063317-admin-center-software-updates.png b/windows/deployment/update/media/37063317-admin-center-software-updates.png new file mode 100644 index 0000000000..978ef1b476 Binary files /dev/null and b/windows/deployment/update/media/37063317-admin-center-software-updates.png differ diff --git a/windows/deployment/update/media/37063317-end-of-service-chart.png b/windows/deployment/update/media/37063317-end-of-service-chart.png new file mode 100644 index 0000000000..fbca74ba52 Binary files /dev/null and b/windows/deployment/update/media/37063317-end-of-service-chart.png differ diff --git a/windows/deployment/update/media/37063317-windows-update-status-chart.png b/windows/deployment/update/media/37063317-windows-update-status-chart.png new file mode 100644 index 0000000000..875b303375 Binary files /dev/null and b/windows/deployment/update/media/37063317-windows-update-status-chart.png differ diff --git a/windows/deployment/update/media/update-compliance-v2-query-table.png b/windows/deployment/update/media/update-compliance-v2-query-table.png new file mode 100644 index 0000000000..f48e6dc074 Binary files /dev/null and b/windows/deployment/update/media/update-compliance-v2-query-table.png differ diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index fa4f61b0d2..c64b4fd3da 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -70,15 +70,8 @@ All Group policies that need to be configured for Update Compliance are under ** To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints. -| **Endpoint** | **Function** | -|---------------------------------------------------------|-----------| -| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. | -| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. | -| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. | -| `http://adl.windows.com` | Required for Windows Update functionality. | -| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER), used to provide more advanced error reporting if certain Feature Update deployment failures occur. | -| `https://oca.telemetry.microsoft.com` | Online Crash Analysis, used to provide device-specific recommendations and detailed errors in the event of certain crashes. | -| `https://login.live.com` | This endpoint facilitates MSA access and is required to create the primary identifier we use for devices. Without this service, devices will not be visible in the solution. The Microsoft Account Sign-in Assistant service must also be running (wlidsvc). | + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)] ## Required services diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index f62bf4a4da..e00cfd8c93 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -81,7 +81,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru | 51 | Unexpected exception when attempting to run Census.exe| | 52 | Could not find Census.exe| | 53 | There are conflicting CommercialID values.| -| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 54 | Microsoft account (MSA) Sign In Assistant Service disabled.| | 55 | Failed to create new registry path for SetDeviceNameOptIn| | 56 | Failed to create property for SetDeviceNameOptIn at registry path| | 57 | Failed to update value for SetDeviceNameOptIn| diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index bc2ce23a6f..654ade49f0 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -20,10 +20,11 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 10 +- Windows 10 - Windows 11 -![DO status.](images/UC_workspace_DO_status.png) +:::image type="content" alt-text="Screenshot of Delivery Optimization information in Update Compliance." source="images/UC_workspace_DO_status.png" lightbox="images/UC_workspace_DO_status.png"::: + The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ## Delivery Optimization Status @@ -49,4 +50,9 @@ The table breaks down the number of bytes from each download source into specifi The download sources that could be included are: - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used) -- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. +- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. + + +[!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)] + +For more information on Delivery Optimization, see [Set up Delivery Optimization for Windows](../do/waas-delivery-optimization-setup.md). diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 933738e59e..6dc2e78cdd 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -20,7 +20,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 10 +- Windows 10 - Windows 11 In this section you'll learn how to use Update Compliance to monitor your device's Windows updates and Microsoft Defender Antivirus status. To configure your environment for use with Update Compliance, refer to [Get started with Update Compliance](update-compliance-get-started.md). @@ -53,7 +53,7 @@ When you select this tile, you will be redirected to the Update Compliance works ![The Overview blade.](images/uc-workspace-overview-blade.png) -Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. Update Compliance displays distribution for all devices to help you determine if they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. @@ -68,7 +68,7 @@ The following is a breakdown of the different sections available in Update Compl ## Update Compliance data latency Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. -The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all devices part of your organization that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. +The data powering Update Compliance is refreshed every 24 hours. The last 28 days worth of data from all devices in your organization are refreshed. The entire set of data is refreshed in each daily snapshot, which means that the same data can be re-ingested even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. | Data Type | Data upload rate from device | Data Latency | |--|--|--| diff --git a/windows/deployment/update/update-compliance-v2-configuration-manual.md b/windows/deployment/update/update-compliance-v2-configuration-manual.md new file mode 100644 index 0000000000..176b1f0a64 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-configuration-manual.md @@ -0,0 +1,80 @@ +--- +title: Manually configuring devices for Update Compliance (preview) +ms.reviewer: +manager: dougeby +description: Manually configuring devices for Update Compliance (preview) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Manually Configuring Devices for Update Compliance (preview) + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more information, see the Mobile Device Management policies and Group policies tables. + +There are a number of requirements to consider when manually configuring devices for Update Compliance. These requirements can potentially change with newer versions of Windows client. The [Update Compliance configuration script](update-compliance-v2-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. + +The requirements are separated into different categories: + +1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. +2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations, must be able to reach the endpoints. +3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It's recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. + + +## Required policies + +Update Compliance has a number of policies that must be appropriately configured in order for devices to be processed by Microsoft and visible in Update Compliance. Thee policies are listed below, separated by whether the policies will be configured via [Mobile Device Management](/windows/client-management/mdm/) (MDM) or Group Policy. For both tables: + +- **Policy** corresponds to the location and name of the policy. +- **Value** Indicates what value the policy must be set to. Update Compliance requires *at least* Basic (or Required) diagnostic data, but can function off Enhanced or Full (or Optional). +- **Function** details why the policy is required and what function it serves for Update Compliance. It will also detail a minimum version the policy is required, if any. + +### Mobile Device Management policies + +Each MDM Policy links to its documentation in the configuration service provider (CSP) hierarchy, providing its exact location in the hierarchy and more details. + +| Policy | Data type | Value | Function | +|--------------------------|-|-|------------------------------------------------------------| +|**Provider/*ProviderID*/**[**CommercialID**](/windows/client-management/mdm/dmclient-csp#provider-providerid-commercialid) |String |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) |Identifies the device as belonging to your organization. | +|**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | +|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | +|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and won't be visible in Update Compliance, showing `#` instead. | +| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | + +### Group policies + +All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below. + +| Policy | Value | Function | +|---------------------------|-|-----------------------------------------------------------| +|**Configure the Commercial ID** |[Your CommercialID](update-compliance-v2-enable.md#bkmk_id) | Identifies the device as belonging to your organization. | +|**Allow Telemetry** | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the **Configure telemetry opt-in setting user interface**. | +|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. | +|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name won't be sent and won't be visible in Update Compliance, showing `#` instead. | +|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | + +## Required endpoints + +To enable data sharing between devices, your network, and Microsoft's Diagnostic Data Service, configure your proxy to allow devices to contact the below endpoints. + + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)] + +## Required services + +Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It's recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. + +## Next steps + +[Use Update Compliance](update-compliance-v2-use.md) diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md new file mode 100644 index 0000000000..10fa6e648c --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -0,0 +1,84 @@ +--- +title: Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) +ms.reviewer: +manager: dougeby +description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance (preview) +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Configuring Microsoft Endpoint Manager devices for Update Compliance (preview) + +***(Applies to: Windows 11 & Windows 10 managed by [Microsoft Endpoint Manager](/mem/endpoint-manager-overview))*** + +> [!Important] +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more information, see the Mobile Device Management policies and Group policies tables. + +This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: + +1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured. +2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. +3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md). + +## Create a configuration profile + +Take the following steps to create a configuration profile that will set required policies for Update Compliance: + +1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. +1. On the **Configuration profiles** view, select **Create a profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". +1. For **Template name**, select **Custom**, and then press **Create**. +1. You're now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you'll be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). + 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-v2-enable.md#bkmk_id). + 1. Add a setting for **Commercial ID** with the following values: + - **Name**: Commercial ID + - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. + - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` + - **Data type**: String + - **Value**: *Set this value to your Commercial ID* + 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: + - **Name**: Allow Telemetry + - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` + - **Data type**: Integer + - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). + 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this isn't disabled, users of each device can potentially override the diagnostic data level of devices such that data won't be available for those devices in Update Compliance: + - **Name**: Disable Telemetry opt-in interface + - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` + - **Data type**: Integer + - **Value**: 1 + 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: + - **Name**: Allow device name in Diagnostic Data + - **Description**: Allows device name in Diagnostic Data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` + - **Data type**: Integer + - **Value**: 1 + 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + - **Name**: Allow Update Compliance Processing + - **Description**: Opts device data into Update Compliance processing. Required to see data. + - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` + - **Data type**: Integer + - **Value**: 16 +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review and select **Create**. + +## Deploy the configuration script + +The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). + +When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices. + +## Next steps + +[Use Update Compliance](update-compliance-v2-use.md) diff --git a/windows/deployment/update/update-compliance-v2-configuration-script.md b/windows/deployment/update/update-compliance-v2-configuration-script.md new file mode 100644 index 0000000000..98bb9a944e --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-configuration-script.md @@ -0,0 +1,137 @@ +--- +title: Update Compliance (preview) Configuration Script +ms.reviewer: +manager: dougeby +description: Downloading and using the Update Compliance (preview) Configuration Script +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.localizationpriority: medium +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Configuring devices through the Update Compliance (preview) Configuration Script + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - A new policy is required to use Update Compliance: `AllowUpdateComplianceProcessing`. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured. + +The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-v2-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured. + +## About the script + +The configuration script configures registry keys directly. Be aware that registry keys can potentially be overwritten by policy settings like Group Policy or MDM. *Reconfiguring devices with the script doesn't reconfigure previously set policies, both in the case of Group Policy and MDM*. If there are conflicts between your Group Policy or MDM configurations and the required configurations listed in [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md), device data might not appear in Update Compliance correctly. + +You can download the script from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=101086). Keep reading to learn how to configure the script and interpret error codes that are output in logs for troubleshooting. + +## How this script is organized + +This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode. + +- In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration. +- In **Deployment** mode (`runMode=Deployment`), the script will run quietly. + +> [!Important] +> [PsExec](/sysinternals/downloads/psexec) is used to run the script in the system context. Once the device is configured, remove PsExec.exe from the device. + +## How to use this script + +Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`): + +1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`. +1. Set `commercialIDValue` to your [Commercial ID](update-compliance-v2-enable.md#bkmk_id) for the Update Compliance solution. +1. Run the script. +1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`. +1. If there are issues, gather the logs and provide them to Microsoft Support. + +## Verify device configuration + +In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps: + +1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer). + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **On** for the following option: + + - Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)** + - Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)** + +1. Select **Open Diagnostic Data Viewer**. + - If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. + - If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed. + +1. Check for software updates on the client device. + - Windows 11: + 1. Go to **Start**, select **Settings** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + - Windows 10: + 1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**. + 1. Select **Check for updates** then wait for the update check to complete. + +1. Run the **Diagnostic Data Viewer**. + 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + 1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**. +1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items: + - The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-v2-enable.md#bkmk_id) of your Log Analytics workspace for Update Compliance. + - The **MSP** field value under **protocol** should be either `16` or `18`. + - If you need to send this data to Microsoft Support, select **Export data**. + + :::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png"::: + +## Script errors + +|Error |Description | +|---------|---------| +| 1 | General unexpected error| +| 6 | Invalid CommercialID| +| 8 | Couldn't create registry key path to set up CommercialID| +| 9 | Couldn't write CommercialID at registry key path| +| 11 | Unexpected result when setting up CommercialID.| +| 12 | CheckVortexConnectivity failed, check Log output for more information.| +| 12 | Unexpected failure when running CheckVortexConnectivity.| +| 16 | Reboot is pending on device, restart device and restart script.| +| 17 | Unexpected exception in CheckRebootRequired.| +| 27 | Not system account. | +| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.| +| 34 | Unexpected exception when attempting to check Proxy settings.| +| 35 | Unexpected exception when checking User Proxy.| +| 37 | Unexpected exception when collecting logs| +| 40 | Unexpected exception when checking and setting telemetry.| +| 41 | Unable to impersonate logged-on user.| +| 42 | Unexpected exception when attempting to impersonate logged-on user.| +| 43 | Unexpected exception when attempting to impersonate logged-on user.| +| 44 | Error when running CheckDiagTrack service.| +| 45 | DiagTrack.dll not found.| +| 48 | CommercialID isn't a GUID| +| 50 | DiagTrack service not running.| +| 51 | Unexpected exception when attempting to run Census.exe| +| 52 | Couldn't find Census.exe| +| 53 | There are conflicting CommercialID values.| +| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.| +| 55 | Failed to create new registry path for SetDeviceNameOptIn| +| 56 | Failed to create property for SetDeviceNameOptIn at registry path| +| 57 | Failed to update value for SetDeviceNameOptIn| +| 58 | Unexpected exception in SetrDeviceNameOptIn| +| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.| +| 60 | Failed to delete registry key when attempting to clean up OneSettings.| +| 61 | Unexpected exception when attempting to clean up OneSettings.| +| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD| +| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.| +| 64 | AllowTelemetry isn't of the correct type REG_DWORD.| +| 66 | Failed to verify UTC connectivity and recent uploads.| +| 67 | Unexpected failure when verifying UTC CSP.| +| 91 | Failed to create new registry path for EnableAllowUCProcessing| +| 92 | Failed to create property for EnableAllowUCProcessing at registry path| +| 93 | Failed to update value for EnableAllowUCProcessing| +| 94 | Unexpected exception in EnableAllowUCProcessing| +| 99 | Device isn't Windows 10.| + +## Next steps + +[Use Update Compliance](update-compliance-v2-use.md) \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-v2-enable.md b/windows/deployment/update/update-compliance-v2-enable.md new file mode 100644 index 0000000000..6f62c00c8f --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-enable.md @@ -0,0 +1,93 @@ +--- +title: Enable the Update Compliance solution +ms.reviewer: +manager: dougeby +description: How to enable the Update Compliance through the Azure portal +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Enable Update Compliance + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +After verifying the [prerequisites](update-compliance-v2-prerequisites.md) are met, you can start to set up Update Compliance. The two main steps for setting up the Update Compliance solution are: + +1. [Add Update Compliance](#bkmk_add) to your Azure subscription. This step has the following two phases: + 1. [Select or create a new Log Analytics workspace](#bkmk_workspace) for use with Update Compliance. + 1. [Add the Update Compliance solution](#bkmk_solution) to the Log Analytics workspace. +1. Configure the clients to send data to Update compliance. You can configure clients in the following three ways: + - Use a [script](update-compliance-v2-configuration-script.md) + - Use [Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) + - Configure [manually](update-compliance-v2-configuration-manual.md) + +## Add Update Compliance to your Azure subscription + +Before you configure clients to send data, you'll need to add the Update Compliance solution to your Azure subscription so the data can be received. First, you'll select or create a new Log Analytics workspace to use. Second, you'll add the Update Compliance solution to the workspace. + +### Select or create a new Log Analytics workspace for Update Compliance + +Update Compliance uses an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for storing the client diagnostic data. Identify an existing workspace or create a new one using the following steps: + +1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com). + - Although an Azure subscription is required, you won't be charged for ingestion of Update Compliance data. +1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. +1. Select **Log Analytics workspaces**. +1. If you already have a Log Analytics workspace, determine which Log Analytics workspace you'd like to use for Update Compliance. Ensure the workspace is in a **Compatible Log Analytics region** from the table listed in the [prerequisites](update-compliance-v2-prerequisites.md#log-analytics-regions). + - [Azure Update Management](/azure/automation/automation-intro#update-management) users should use the same workspace for Update Compliance. +1. If you don't have an existing Log Analytics workspace or you don't want to use a current workspace, [create a new workspace](/azure/azure-monitor/logs/quick-create-workspace) in a [compatible region](update-compliance-v2-prerequisites.md#log-analytics-regions). + + + +### Add the Update Compliance solution to the Log Analytics workspace + +Update Compliance is offered as an Azure Marketplace application that's linked to a new or existing Azure Log Analytics workspace within your Azure subscription. Follow the steps below to add the solution, to the workspace: + +1. Go to the [Update Compliance page in the Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps/Microsoft.WaaSUpdateInsights?tab=Overview). You might need to sign into your Azure subscription to access this page. +1. Select **Get it now**. +1. Select **Continue** to agree to the [terms of use](https://azure.microsoft.com/[support/legal/) and the [privacy policy](https://privacy.microsoft.com/en-us/privacystatement) to create the app in Azure. +1. Sign into the [Azure portal](https://portal.azure.com) to finish creating the Update Compliance solution. +1. Select the following settings: + - **Subscription**: The Azure subscription to use. + - **Resource group**: Select or [create a resource group](/azure/azure-resource-manager/management/manage-resource-groups-portal) for the Update Compliance solution. + - **Azure Log Analytics Workspace**: The Log Analytics workspace you created or identified for use with Update Compliance. +1. Select **Review + create** to review your settings. +1. Select **Create** to add the solution. You'll receive a notification when the Updates Compliance solution has been successfully created. + +> [!Note] +> - You can only map one tenant to one Log Analytics workspace. Mapping one tenant to multiple workspaces isn't supported. +> - If you change the Log Analytics workspace for Update Compliance, stale data will be displayed for about 24 hours until the new workspace is fully onboarded. + +### Get the Commercial ID for the Update Compliance solution + +The **Commercial ID** directs your clients to the Update Compliance solution in your Log Analytics workspace. You'll need this ID when you configure clients to send data to Update Compliance. + +1. If needed, sign into the [Azure portal](https://portal.azure.com). +1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. +1. Select **Log Analytics workspaces**. +1. Select the Log Analytics workspace that you added the Update Compliance solution to. +1. Select **Solutions** from the Log Analytics workspace, then select **WaaSUpdateInsights(<Log Analytics workspace name>)** to go to the summary page for the solution. +1. Select **Update Compliance Settings** from the **WaaSUpdateInsights(<Log Analytics workspace name>)** summary page. +1. The **Commercial Id Key** is listed in the text box with an option to copy the ID. The **Commercial Id Key** is commonly referred to as the `CommercialID` or **Commercial ID** in Update Compliance. + + > [!Warning] + > Regenerate a Commercial ID only if your original ID can no longer be used. Regenerating a Commercial ID requires you to deploy the new commercial ID to your computers in order to continue to collect data and can result in data loss. + + +## Next steps + +Once you've added Update Compliance to a workspace in your Azure subscription, you'll need to configure any devices you want to monitor. Enroll devices into Update Compliance using any of the following methods: + +- [Configure clients with a script](update-compliance-v2-configuration-script.md) +- [Configure clients manually](update-compliance-v2-configuration-manual.md) +- [Configure clients with Microsoft Endpoint Manager](update-compliance-v2-configuration-mem.md) diff --git a/windows/deployment/update/update-compliance-v2-overview.md b/windows/deployment/update/update-compliance-v2-overview.md new file mode 100644 index 0000000000..a3c3967aee --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-overview.md @@ -0,0 +1,77 @@ +--- +title: Update Compliance overview +ms.reviewer: +manager: dougeby +description: Overview of Update Compliance to explain what it's used for and the cloud services it relies on. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Update Compliance overview + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +Update Compliance is a cloud-based solution that provides information about the compliance of your Azure Active Directory joined devices with Windows updates. Update Compliance is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Update Compliance helps you: + +- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices +- Report on devices with update compliance issues +- Review [Delivery Optimization](../do/waas-delivery-optimization.md) bandwidth savings across multiple content types + +## Technical preview information for Update Compliance + +The new version of Update Compliance is in technical preview. Some of the benefits of this new version include: + +- Integration with [Windows Update for Business deployment service](deployment-service-overview.md) to enable per deployment reporting, monitoring, and troubleshooting. +- Compatibility with [Feature updates](/mem/intune/protect/windows-10-feature-updates) and [Expedite Windows quality updates](/mem/intune/protect/windows-10-expedite-updates) policies in Intune. +- A new **Alerts** data type to assist you with identifying devices that encounter issues during the update process. Error code information is provided to help troubleshoot update issues. + +Currently, the technical preview contains the following features: + +- Access to the following new Update Compliance tables: + - UCClient + - UCClientReadinessStatus + - UCClientUpdateStatus + - UCDeviceAlert + - UCServiceUpdateStatus + - UCUpdateAlert +- Client data collection to populate the new Update Compliance tables + +:::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png"::: + +> [!IMPORTANT] +> Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + +## How Update Compliance works + +You'll set up Update Compliance by enrolling into the solution from the Azure portal. Then you'll configure your Azure AD joined devices to send Windows client diagnostic data to the solution. Update Compliance uses [Log Analytics in Azure Monitor](/azure/azure-monitor/logs/log-analytics-overview) to store the diagnostic data the clients send. You can use this data for reporting on updates for your devices. Update Compliance collects system data such as: + +- Update deployment progress +- Delivery Optimization usage data +- Windows Update for Business configuration data + +The Azure Log Analytics ingestion and retention charges aren't incurred on your Azure subscription for Update Compliance data. You also choose an [Azure Log Analytics workspaces](/azure/azure-monitor/logs/log-analytics-overview) that you own for your client diagnostic data. The collected diagnostic data populates the Update Compliance tables so you can easily query your data. + +## Use your Update Compliance data + +Since the data from your clients is stored in a Log Analytics workspace, you can go beyond the standard reports to analyze and display your data in multiple ways. Some of the ways you could display your data include: + +- Using the data in [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview) that you create +- Building [custom Kusto (KQL) queries](/azure/azure-monitor/logs/log-query-overview) +- Developing your own custom views by integrating the [Log Analytics data](/azure/azure-monitor/visualize/tutorial-logs-dashboards) into other tools such as: + - [Operations Management Suite](/azure/azure-monitor/agents/om-agents) + - [Power BI](/azure/azure-monitor/logs/log-powerbi) + - Other tools for [querying the data](/azure/azure-monitor/logs/log-query-overview) + +## Next steps + +- Review the [Update Compliance prerequisites](update-compliance-v2-prerequisites.md) diff --git a/windows/deployment/update/update-compliance-v2-prerequisites.md b/windows/deployment/update/update-compliance-v2-prerequisites.md new file mode 100644 index 0000000000..c4aa6213d1 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-prerequisites.md @@ -0,0 +1,122 @@ +--- +title: Update Compliance prerequisites +ms.reviewer: +manager: dougeby +description: Prerequisites for Update Compliance +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Update Compliance prerequisites + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> - This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. +> - Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. You should be aware that Update Compliance doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers. + +## Update Compliance prerequisites + +Before you begin the process of adding Update Compliance to your Azure subscription, ensure you meet the prerequisites. + +### Azure and Azure Active Directory + +- An Azure subscription with [Azure Active Directory](/azure/active-directory/) +- You must have either an Owner or Contributor [Azure role](/azure/role-based-access-control/rbac-and-directory-admin-roles#azure-roles) as a minimum in order to add the Update Compliance solution. +- Devices must be Azure Active Directory joined and meet the below OS, diagnostic, and endpoint access requirements + - Devices that are Workplace joined only (Azure AD registered) aren't supported with Update Compliance + +### Operating systems and editions + +- Windows 11 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions +- Windows 10 Professional, Education, Enterprise, and [Enterprise multi-session](/azure/virtual-desktop/windows-10-multisession-faq) editions + +Update Compliance only provides data for the standard Desktop Windows client version and isn't currently compatible with Windows Server, Surface Hub, IoT, or other versions. + +### Windows client servicing channels + +Update Compliance supports Windows client devices on the following channels: + +- General Availability Channel +- Update Compliance *counts* Windows Insider Preview devices, but doesn't currently provide detailed deployment insights for them. + +### Diagnostic data requirements + +At minimum, Update Compliance requires devices to send diagnostic data at *Required* level (previously *Basic*). Some queries in Update Compliance require devices to send diagnostic data at the following levels: + +- *Optional* level (previously *Full*) for Windows 11 devices +- *Enhanced* level for Windows 10 devices + + > [!Note] + > Device names don't appear in Update Compliance unless you individually opt-in devices by using policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names: + > - CSP: System/[AllowDeviceNameInDiagnosticData](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) + > - Group Policy: **Allow device name to be sent in Windows diagnostic data** under **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds** + +For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319). + +### Data transmission requirements + + +[!INCLUDE [Endpoints for Update Compliance](./includes/update-compliance-endpoints.md)] + +> [!NOTE] +> Enrolling into Update Compliance from the [Azure CLI](/cli/azure) or enrolling programmatically another way currently isn't supported. You must manually add Update Compliance to your Azure subscription. + +## Microsoft 365 admin center permissions (optional) + +When you use the [Microsoft admin center software updates (preview) page](update-status-admin-center.md) with Update Compliance, the following permissions are also recommended: + - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles) + - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles) + +## Log Analytics prerequisites + +### Log Analytics permissions + +- To edit and write queries, we recommend the [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role. +- To read and only view data, we recommend the [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role. + + +### Log Analytics regions + +Update Compliance can use a Log Analytics workspace in the following regions: + +|Compatible Log Analytics regions | +| ------------------------------- | +|Australia Central | +|Australia East | +|Australia Southeast | +|Brazil South | +|Canada Central | +|Central India | +|Central US | +|East Asia | +|East US | +|East US 2 | +|Eastus2euap(canary) | +|France Central | +|Japan East | +|Korea Central | +|North Central US | +|North Europe | +|South Africa North | +|South Central US | +|Southeast Asia | +|Switzerland North | +|Switzerland West | +|UK West | +|UK south | +|West Central US | +|West Europe | +|West US | +|West US 2 | + +## Next steps + +- [Enable the Update Compliance solution](update-compliance-v2-enable.md) in the Azure portal diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclient.md b/windows/deployment/update/update-compliance-v2-schema-ucclient.md new file mode 100644 index 0000000000..70e9b938c4 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucclient.md @@ -0,0 +1,62 @@ +--- +title: Update Compliance Data Schema - UCClient +ms.reviewer: +manager: dougeby +description: UCClient schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCClient + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the OS edition, and active hours (quantitative). + +|Field |Type |Example |Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **Country** | [string](/azure/kusto/query/scalar-data-types/string) | `US` | The last-reported location of device (country), based on IP address. Shown as country code. | +| **DeviceFamily** | [string](/azure/kusto/query/scalar-data-types/string) | `PC, Phone` | The device family such as PC, Phone. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier | +| **LastCensusScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful census scan, if any. | +| **LastWUScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The last time this device performed a successful Windows Update scan, if any. | +| **OSArchitecture** | [string](/azure/kusto/query/scalar-data-types/string) | `x86` | The architecture of the operating system (not the device) this device is currently on. | +| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full operating system build installed on this device, such as Major.Minor.Build.Revision | +| **OSBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `da` | The major build number, in int format, the device is using. | +| **OSEdition** | [string](/azure/kusto/query/scalar-data-types/string) | `Professional` | The Windows edition | +| **OSFeatureUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Compliant` | Whether or not the device is on the latest feature update being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSFeatureUpdateEOSTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The end of service date of the feature update currently installed on the device. | +| **OSFeatureUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the feature update currently installed on the device. | +| **OSFeatureUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `InService;EndOfService` | Whether or not the device is on the latest available feature update, for its feature update. | +| **OSQualityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest quality update being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSQualityUpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the quality update currently installed on the device. | +| **OSQualityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest` | Whether or not the device is on the latest available quality update, for its feature update. | +| **OSRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | The revision, in int format, this device is on. | +| **OSSecurityUpdateComplianceStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `NotCompliant` | Whether or not the device is on the latest security update (quality update where the Classification=Security) being offered by the Windows Update for Business deployment service, else NotApplicable. | +| **OSSecurityUpdateStatus** | [string](/azure/kusto/query/scalar-data-types/string)| `Latest;NotLatest;MultipleSecurityUpdatesMissing` | Whether or not the device is on the latest available security update, for its feature update. | +| **OSServicingChannel** | [string](/azure/kusto/query/scalar-data-types/string) | `SAC` | The elected Windows 10 servicing channel of the device. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 operating system version currently installed on the device, such as 19H2, 20H1, 20H2. | +| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID, if available. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceEvent` | The EntityType. | +| **WUFeatureDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: ConfigureDeadlineForFeatureUpdates. The Windows update feature update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | +| **WUFeatureDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | CSP: DeferFeatureUpdates. The Windows update feature update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values >0 indicate the policy setting. | +| **WUFeatureGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | The Windows Update grace period for feature update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUFeaturePauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for feature updates, possible values are Paused, NotPaused, NotConfigured. | +| **WUQualityDeadlineDays** | [int](/azure/kusto/query/scalar-data-types/int) | `7` | CSP: ConfigureDeadlineForQualityUpdates. The Windows update quality update deadline configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values > 0 indicate the deadline in days. | +| **WUQualityDeferralDays** | [int](/azure/kusto/query/scalar-data-types/int) | `-1` | CSP: DeferQualityUpdates. The Windows Update quality update deferral configuration in days. -1 indicates not configured, 0 indicates configured but set to 0. Values greater than 0 indicate the policy setting. | +| **WUQualityGracePeriodDays** | [int](/azure/kusto/query/scalar-data-types/int) | `0` | The Windows Update grace period for quality update in days. -1 indicates not configured, 0 indicates configured and set to 0. Values greater than 0 indicate the grace period in days. | +| **WUQualityPauseState** | [string](/azure/kusto/query/scalar-data-types/string) | `NotConfigured` | Indicates pause status of device for quality updates, possible values are Paused, NotPaused, NotConfigured. | diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md b/windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md new file mode 100644 index 0000000000..45a6a8eae7 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md @@ -0,0 +1,47 @@ +--- +title: Update Compliance Data Schema - UCClientReadinessStatus +ms.reviewer: +manager: dougeby +description: UCClientReadinessStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCClientReadinessStatus + +***(Applies to: Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) the device doesn't meet. + +|Field |Type |Example |Description | +|---|---|---|---| +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Client-provided device name | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | The global device identifier. | +| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager Client ID, if available. | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD Tenant ID | +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD Device ID | +| **OSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10` | The operating system name. | +| **OSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Win10 OS Version (such as 19H2, 20H1, 20H2) currently installed on the device. | +| **OSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full OS build installed on this device, such as Major.Minor.Build.Revision | +| **TargetOSName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 11` | The name of the operating system being targeted to the device for this readiness record.| +| **TargetOSVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `21H2` | The operating system version being targeted to the device for this readiness record.| +| **TargetOSBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.22000.1` | The full operating system build number that's being targeted to the device for this readiness record.| +| **ReadinessStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows Update.| +| **ReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by the Windows Update applicability. | +| **ReadinessScanTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed and the assessment was sent.| +| **ReadinessExpiryTime**| [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the readiness assessment will expire.| +| **SetupReadinessStatus**| [string](/azure/kusto/query/scalar-data-types/string) | `Not capable` | The readiness status of the device is either capable, not capable, or unknown. This status is determined by Windows setup.| +| **SetupReadinessReason** | [string](/azure/kusto/query/scalar-data-types/string) | `CPU;TPM` | Lists which [hardware requirements](/windows/whats-new/windows-11-requirements#hardware-requirements) are blocking the device from being capable of installing Windows 11. Field is null if the device is capable. This status is determined by Windows setup. | +| **SetupReadinessTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when readiness was assessed by setup and the assessment was sent.| +| **SetupReadinessExpiryTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The date and time when the setup readiness assessment will expire.| +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 10:26:03.478039` | The date and time when Azure Monitor Logs ingested this record for your Log Analytics workspace.| diff --git a/windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md b/windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md new file mode 100644 index 0000000000..0fc27a857d --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md @@ -0,0 +1,54 @@ +--- +title: Update Compliance Data Schema - UCClientUpdateStatus +ms.reviewer: +manager: dougeby +description: UCClientUpdateStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCClientUpdateStatus + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. + +| Field | Type | Example | Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | A string corresponding to the Azure AD tenant to which the device belongs. | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A string corresponding to this device's Azure AD device ID | +| **ClientState** | [string](/azure/kusto/query/scalar-data-types/string) | `Installing` | Higher-level bucket of ClientSubstate. | +| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | Last-known state of this update relative to the device, from the client. | +| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Ranking of client substates for sequential ordering in funnel-type views. The rankings between ServiceSubstate and ClientSubstate can be used together. | +| **ClientSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last client substate transition | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The identifier of the deployment that is targeting this update to this device, else empty. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | Device's given name | +| **FurthestClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadComplete` | Furthest clientSubstate | +| **FurthestClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2400` | Ranking of furthest clientSubstate | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | +| **OfferReceivedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device last reported entering OfferReceived, else empty. | +| **RestartRequiredTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time when device first reported entering RebootRequired (or RebootPending), else empty. | +| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | A string corresponding to the Configuration Manager Client ID on the device. | +| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | +| **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | +| **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | +| **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. | +| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `DeviceUpdateEvent` | The EntityType | +| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether the update classification is an upgrade (feature update), security (quality update), non-security (quality update) | +| **UpdateDisplayName** | [string](/azure/kusto/query/scalar-data-types/string) | `Windows 10 1909` | The long-form display name for the given update. Varies on content type (feature update. quality update) | +| **UpdateInstalledTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime when event transitioned to UpdateInstalled, else empty. | +| **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | +| **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | diff --git a/windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md b/windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md new file mode 100644 index 0000000000..71696884f7 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md @@ -0,0 +1,53 @@ +--- +title: Update Compliance Data Schema - UCDeviceAlert +ms.reviewer: +manager: dougeby +description: UCDeviceAlert schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCDeviceAlert + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from (ServiceDeviceAlert, ClientDeviceAlert). For example, an EndOfService alert is a ClientDeviceAlert, as a build no longer being serviced (EOS) is a client-wide state. Meanwhile, DeviceRegistrationIssues in the Windows Update for Business deployment service will be a ServiceDeviceAlert, as it's a device-wide state in the service to not be correctly registered. + +|Field |Type |Example |Description | +|---|---|---|---| +| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational. | +| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert | +| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting | +| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted | +| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert. | +| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present. | +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. | +| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. | +| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. | +| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other alert fields + language preference that describes the issue in detail. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft global identifier, if available. | +| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on source of alert) that provides a recommended action. | +| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. | +| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. | +| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else Empty. | +| **ServiceSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `100` | Rank of ServiceSubstate | +| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. | +| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. | +| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | +| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this content is an upgrade (feature update), security (quality update), non-security (quality update) | diff --git a/windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md b/windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md new file mode 100644 index 0000000000..e2fb645ed5 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md @@ -0,0 +1,41 @@ +--- +title: Update Compliance Data Schema - UCServiceUpdateStatus +ms.reviewer: +manager: dougeby +description: UCServiceUpdateStatus schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCServiceUpdateStatus + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. This event has certain fields removed from it in favor of being able to show data in near real-time. + +| Field | Type | Example | Description | +|---|---|---|---| +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | A GUID corresponding to the Azure AD tenant to which the device belongs. | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | If this DeviceUpdateEvent is from content deployed by a deployment scheduler service policy, this GUID will map to that policy, otherwise it will be empty. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:9832741921341` | Microsoft internal global device identifier | +| **OfferReadyTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | DateTime of OfferReady transition. If empty, not yet been offered. | +| **ServiceState** | [string](/azure/kusto/query/scalar-data-types/string) | `Offering` | High-level state of update's status relative to device, service-side. | +| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | Low-level state of update's status relative to device, service-side. | +| **ServiceSubstateTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Date and time of last ServiceSubstate transition. | +| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build for the content this event is tracking. For Windows 10, this string corresponds to "10.0.Build.Revision" | +| **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The version of content this DeviceUpdateEvent is tracking. For Windows 10 updates, this number would correspond to the year/month version format used, such as 1903. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | Time the snapshot ran can also be the same as EventDateTimeUTC in some cases. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `ServiceUpdateEvent` | The EntityType | +| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | diff --git a/windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md b/windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md new file mode 100644 index 0000000000..1520b8656b --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md @@ -0,0 +1,56 @@ +--- +title: Update Compliance Data Schema - UCUpdateAlert +ms.reviewer: +manager: dougeby +description: UCUpdateAlert schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# UCUpdateAlert + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +Alert for both client and service updates. Contains information that needs attention, relative to one device (client), one update, and one deployment (if relevant). Certain fields may be blank depending on the UpdateAlert's AlertType field; for example, ServiceUpdateAlert won't necessarily contain client-side statuses. + +|Field |Type |Example |Description | +|---|---|---|---| +| **AlertClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Error` | Whether this alert is an Error, a Warning, or Informational | +| **AlertData** | [string](/azure/kusto/query/scalar-data-types/string) {json} | `{ "freeDiskCapacityMb": 3213, "contentSizeMb": 4381}` | An optional string formatted as a json payload containing metadata for the alert. | +| **AlertId** | [string](/azure/kusto/query/scalar-data-types/string) | `9e107d9d372bb6826bd81d3542a419d6` | The unique identifier of this alert | +| **AlertRank** | [int](/azure/kusto/query/scalar-data-types/int) | `1000` | Integer ranking of alert for prioritization during troubleshooting | +| **AlertStatus** | [string](/azure/kusto/query/scalar-data-types/string) | `Active` | Whether this alert is Active, Resolved, or Deleted | +| **AlertSubtype** | [string](/azure/kusto/query/scalar-data-types/string) | `DiskFull` | The subtype of alert | +| **AlertType** | [string](/azure/kusto/query/scalar-data-types/string) | `ClientUpdateAlert` | The type of alert such as ClientUpdateAlert or ServiceUpdateAlert. Indicates which fields will be present | +| **AzureADDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `71db1a1a-f1a6-4a25-b88f-79c2f513dae0` | Azure AD device ID of the device, if available. | +| **AzureADTenantId** | [string](/azure/kusto/query/scalar-data-types/string) | `69ca04b0-703d-4b3a-9184-c4e3c15d6f5e` | Azure AD tenant ID of the device. | +| **ClientSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `DownloadStart` | If the alert is from the client, the ClientSubstate at the time this alert was activated or updated, else empty. | +| **ClientSubstateRank** | [int](/azure/kusto/query/scalar-data-types/int) | `2300` | Rank of ClientSubstate | +| **DeploymentId** | [string](/azure/kusto/query/scalar-data-types/string) | `cf1b12a3-3d84-4ce3-bc8e-de48459e252d` | The deployment this alert is relative to, if there's one. | +| **Description** | [string](/azure/kusto/query/scalar-data-types/string) | `Disk full` | A localized string translated from a combination of other Alert fields + language preference that describes the issue in detail. | +| **DeviceName** | [string](/azure/kusto/query/scalar-data-types/string) | `JohnPC-Contoso` | The given device's name | +| **ErrorCode** | [string](/azure/kusto/query/scalar-data-types/string) | `0x8326CFA2D_C3FD` | The error code, if any, that triggered this alert. In the case of client-based explicit alerts, error codes can have extended error codes, which are appended to the error code with an underscore separator. | +| **ErrorSymName** | [string](/azure/kusto/query/scalar-data-types/string) | `WU_E_DISK_FULL` | The symbolic name that maps to the error code, if any, otherwise empty. | +| **GlobalDeviceId** | [string](/azure/kusto/query/scalar-data-types/string) | `g:1298371934870` | Internal Microsoft Global identifier, if available. | +| **Recommendation** | [string](/azure/kusto/query/scalar-data-types/string) | `Free up disk space.` | A localized string translated from RecommendedAction, Message, and other fields (depending on the source of the alert) that provides a recommended action. | +| **ResolvedTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was resolved, else empty. | +| **SCCMClientId** | [string](/azure/kusto/query/scalar-data-types/string) | `5AB72FAC-93AB-4954-9AB0-6557D0EFA245` | Configuration Manager client ID of the device, if available. | +| **ServiceSubstate** | [string](/azure/kusto/query/scalar-data-types/string) | `OfferReady` | If the alert is from the service, the ServiceSubstate at the time this alert was activated or updated, else empty. | +| **StartTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time this alert was activated. | +| **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `18363.836` | The Windows 10 Major. Revision this UpdateAlert is relative to. | +| **TargetVersion** | [string](/azure/kusto/query/scalar-data-types/string) | `1909` | The Windows 10 build this UpdateAlert is relative to. | +| **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | +| **Type** | [string](/azure/kusto/query/scalar-data-types/string) | `UpdateAlert` | The entity type. | +| **UpdateCategory** | [string](/azure/kusto/query/scalar-data-types/string) | `WindowsFeatureUpdate` | The type of content this DeviceUpdateEvent is tracking. | +| **UpdateClassification** | [string](/azure/kusto/query/scalar-data-types/string) | `Upgrade` | Whether this update is an upgrade (feature update), security (quality update), non-security (quality update) | +| **URL** | [string](/azure/kusto/query/scalar-data-types/string) | `aka.ms/errordetail32152` | An optional URL to get more in-depth information related to this alert. | diff --git a/windows/deployment/update/update-compliance-v2-schema.md b/windows/deployment/update/update-compliance-v2-schema.md new file mode 100644 index 0000000000..4a8db43f15 --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-schema.md @@ -0,0 +1,40 @@ +--- +title: Update Compliance (preview) data schema +ms.reviewer: +manager: dougeby +description: An overview of Update Compliance (preview) data schema +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: reference +ms.date: 06/06/2022 +--- + +# Update Compliance version 2 schema + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +When the visualizations provided in the default experience don't fulfill your reporting needs, or if you need to troubleshoot issues with devices, it's valuable to understand the schema for Update Compliance and have a high-level understanding of the capabilities of [Azure Monitor log queries](/azure/azure-monitor/log-query/query-language) to power additional dashboards, integration with external data analysis tools, automated alerting, and more. + +## Schema + +The table below summarizes the different tables that are part of the Update Compliance solution. To learn how to navigate Azure Monitor Logs to find this data, see [Get started with log queries in Azure Monitor](/azure/azure-monitor/log-query/get-started-queries). + +> [!NOTE] +> Data is collected daily. The TimeGenerated field shows the time data was collected. It's added by Log Analytics when data is collected. Device data from the past 28 days is collected, even if no new data has been generated since the last time. LastScan is a clearer indicator of data freshness (that is, the last time the values were updated), while TimeGenerated indicates the freshness of data within Log Analytics. + +|Table |Category |Description | +|--|--|--| +| [**UCClient**](update-compliance-v2-schema-ucclient.md) | Device record | UCClient acts as an individual device's record. It contains data such as the currently installed build, the device's name, the operating system edition, and active hours (quantitative). | +|[**UCClientReadinessStatus**](update-compliance-v2-schema-ucclientreadinessstatus.md) | Device record | UCClientReadinessStatus is an individual device's record about its readiness for updating to Windows 11. If the device isn't capable of running Windows 11, the record includes which Windows 11 hardware requirements the device doesn't meet.| +| [**UCClientUpdateStatus**](update-compliance-v2-schema-ucclientupdatestatus.md) | Device record | Update Event that combines the latest client-based data with the latest service-based data to create a complete picture for one device (client) and one update. | +| [**UCDeviceAlert**](update-compliance-v2-schema-ucdevicealert.md)| Service and device record | These alerts are activated as a result of an issue that is device-specific. It isn't specific to the combination of a specific update and a specific device. Like UpdateAlerts, the AlertType indicates where the Alert comes from such as a ServiceDeviceAlert or ClientDeviceAlert. | +| [**UCServiceUpdateStatus**](update-compliance-v2-schema-ucserviceupdatestatus.md) | Service record | Update Event that comes directly from the service-side. The event has only service-side information for one device (client), and one update, in one deployment. | +| [**UCUpdateAlert**](update-compliance-v2-schema-ucupdatealert.md) | Service and device records | Alert for both client and service update. Contains information that needs attention, relative to one device (client), one update, and one deployment, if relevant. Certain fields may be blank depending on the UpdateAlert's AlertType field. For example, ServiceUpdateAlert won't necessarily contain client-side statuses and may be blank. | diff --git a/windows/deployment/update/update-compliance-v2-use.md b/windows/deployment/update/update-compliance-v2-use.md new file mode 100644 index 0000000000..79edaa01cc --- /dev/null +++ b/windows/deployment/update/update-compliance-v2-use.md @@ -0,0 +1,66 @@ +--- +title: Use the Update Compliance (preview) solution +ms.reviewer: +manager: dougeby +description: How to use the Update Compliance (preview) solution. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.collection: M365-analytics +ms.topic: article +ms.date: 06/06/2022 +--- + +# Use Update Compliance (preview) + +***(Applies to: Windows 11 & Windows 10)*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +In this article, you'll learn how to use Update Compliance to monitor Windows updates for your devices. To configure your environment for use with Update Compliance, see [Enable Update Compliance](update-compliance-v2-enable.md). + +## Display Update Compliance data + +1. Sign into the [Azure portal](https://portal.azure.com). +1. In the Azure portal, type **Log Analytics** in the search bar. As you begin typing, the list filters based on your input. +1. Select **Log Analytics workspaces**. +1. Select the workspace that you use for Updates Compliance. +1. Select **Logs** under the **General** group in your workspace. +1. If the **Always show Queries** option is enabled in Log Analytics, close the query window to access the schema. +1. Under **Schemas and filter**, select **Group by: Solution** and then expand the **Update Compliance** schema. If the **Group by: Category** is selected, the **Update Compliance** schema is listed under the **Other** category. +1. Use the [Update Compliance schema](update-compliance-v2-schema.md) for [custom Kusto (KQL) queries](/azure/data-explorer/kusto/query/), to build [custom workbooks](/azure/azure-monitor/visualize/workbooks-overview), or to build your own solution to display the Update Compliance data. For example, you might query the data to review information for different types of alerts in the past 7 days and how many times each alert occurred. + +```kusto +UCUpdateAlert +| summarize count=count() by AlertClassification, AlertSubtype, ErrorCode, Description +``` + +:::image type="content" source="media/update-compliance-v2-query-table.png" alt-text="Screenshot of using a custom Kusto (KQL) query on Update Compliance data in Log Analytics." lightbox="media/update-compliance-v2-query-table.png"::: + +## Update Compliance data latency + +Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. + +The data powering Update Compliance is refreshed every 24 hours, and refreshes with the latest data from all of your organization's devices that have been seen in the past 28 days. The entire set of data is refreshed in each daily snapshot, which means that the same data can be ingested again even if no new data actually arrived from the device since the last snapshot. Snapshot time can be determined by the TimeGenerated field for each record, while LastScan can be used to roughly determine the freshness of each record's data. Device connectivity to the internet and generally how active the device is influences how long it will take before it appears in Update Compliance. + +| Data Type | Data upload rate from device | Data Latency | +|--|--|--| +| UCClient | Once per day |4 hours | +| UCClientUpdateStatus|Every update event (Download, install, etc.)|24-36 hours | +| UCServiceUpdateStatus| Every update event (Download, install, etc.)|24-36 hours | +| UCUpdateAlert | Every event | 24-36 hours | +| UCDeviceAlert | Every event | 24-36 hours | +| UCClientReadinessStatus | After Windows 11 readiness assessment |24-36 hours | + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within Azure portal, can deeply enhance your experience and complement Update Compliance. + +See below for a few articles related to Log Analytics: +- Learn how to effectively execute custom Log Searches by referring to Microsoft Azure's excellent documentation on [querying data in Log Analytics](/azure/log-analytics/log-analytics-log-searches). +- Review the documentation on [analyzing data for use in Log Analytics](/azure/log-analytics/log-analytics-dashboards) to develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/). +- [Gain an overview of alerts for Log Analytics](/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. diff --git a/windows/deployment/update/update-status-admin-center.md b/windows/deployment/update/update-status-admin-center.md new file mode 100644 index 0000000000..a6e1f241de --- /dev/null +++ b/windows/deployment/update/update-status-admin-center.md @@ -0,0 +1,86 @@ +--- +title: Microsoft admin center software updates (preview) page +manager: dougeby +description: Microsoft admin center populates Update Compliance data into the software updates page. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.pagetype: deploy +audience: itpro +author: mestew +ms.author: mstewart +ms.localizationpriority: medium +ms.collection: + - M365-analytics + - highpri +ms.topic: article +ms.date: 05/07/2022 +--- + +# Microsoft admin center software updates (preview) page + +***(Applies to: Windows 11 & Windows 10 using [Update Compliance](update-compliance-v2-overview.md) and the [Microsoft 365 admin center](/microsoft-365/admin/admin-overview/admin-center-overview))*** + +> [!Important] +> This information relates to a preview feature that's available for early testing and use in a production environment. This feature is fully supported but it's still in active development and may receive substantial changes until it becomes generally available. + +The **Software updates** page in the [Microsoft 365 admin center](https://admin.microsoft.com) displays a high-level overview of the installation status for Microsoft 365 Apps and Windows updates in your environment. [Quality updates](quality-updates.md) that contain security fixes are typically released on the second Tuesday of each month. Ensuring these updates are installed is important because they help protect you from known vulnerabilities. The **Software updates** page allows you to easily determine the overall update compliance for your devices. + +The **Software updates** page has following tabs to assist you in monitoring update status for your devices: + +- **Microsoft 365 Apps**: Displays update status for Microsoft 365 Apps. + - For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). +- **Windows**: Displays compliance charts for cumulative updates and feature updates for Windows clients. This article contains information about the **Windows** tab. + +:::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png"::: + +## Prerequisites + +- [Update Compliance](update-compliance-v2-overview.md) needs to be enabled with clients sending data to the solution +- An appropriate role assigned for the [Microsoft 365 admin center](https://admin.microsoft.com) + - To configure settings for the **Software Updates** page: [Global Admin role](/microsoft-365/admin/add-users/about-admin-roles) + - To view the **Software Updates** page: [Global Reader role](/microsoft-365/admin/add-users/about-admin-roles) + +## Limitations + +Update Compliance is a Windows service hosted in Azure that uses Windows diagnostic data. Update Compliance is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). + +## Get started + +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com/) and sign in. +1. Expand **Health**, then select **Software Updates**. You may need to use the **Show all** option to display **Health** in the navigation menu. +1. In the **Software Updates** page, select the **Windows** tab. +1. When you select the **Windows** tab for the first time, you'll be asked to **Configure Settings**. This tab is populated by data from [Update Compliance](update-compliance-v2-overview.md). Verify or supply the following information about the settings for Update Compliance: + + - The Azure subscription + - The Log Analytics workspace +1. The initial setup can take up to 24 hours. During this time, the **Windows** tab will display that it's **Waiting for Update Compliance data**. +1. After the initial setup is complete, the **Windows** tab will display your Update Compliance data in the charts. + +> [!Tip] +> If you don't see an entry for **Software updates (preview)** in the menu, try going to this URL: [https://admin.microsoft.com/Adminportal/Home#/softwareupdates](https://admin.microsoft.com/Adminportal/Home#/softwareupdates). + +## The Windows tab + +The **Windows** tab in the **Software updates** page in the Microsoft admin center is populated by data from [Update Compliance](update-compliance-v2-overview.md). The tab contains a high-level overview of update compliance for Windows clients in your environment. The tab displays two charts **Windows update status** and **End of service**. The Update Compliance data that populates these charts refreshes every 24 hours. For more information, see [Update Compliance data latency](update-compliance-v2-use.md#update-compliance-data-latency). + +### Windows update status chart + +The **Windows update status** chart gives you a visual representation of how many devices are in the following states for the monthly cumulative updates: + +- Up to date +- Missing security updates +- Unsupported operating system + +A device is considered **Up to date** in this chart if it has installed [security updates](quality-updates.md) released within the past two months. Devices that are more two months behind on installation are in the **Missing security updates** classification. An **Unsupported operating system** is no longer supported by the [Microsoft Product Lifecycle](/lifecycle/products/). + +:::image type="content" source="media/37063317-windows-update-status-chart.png" alt-text="Screenshot of the Windows update status chart that is displayed in the Microsoft 365 admin center." lightbox="media/37063317-windows-update-status-chart.png"::: + +### End of service chart + +The **End of service** chart list the number of devices running an operating system version that's near or past the [Microsoft Product Lifecycle](/lifecycle/products/). The **End of service** chart lists all operating system versions that aren't the latest version and counts the number of devices for each version. This chart can help you determine how many of your devices need to install the latest operating system [feature update](waas-quick-start.md#definitions). If you're currently deploying feature updates to these devices, the chart can also give you insight into how the deployment is progressing. + +:::image type="content" source="media/37063317-end-of-service-chart.png" alt-text="Screenshot of the end of service chart that is displayed in the Microsoft 365 admin center." lightbox="media/37063317-end-of-service-chart.png"::: + +## Next steps + +Use [Update Compliance](update-compliance-v2-overview.md) to display additional data about the status of Windows updates. diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md index ccd0fe2dc5..dec2eca8c6 100644 --- a/windows/deployment/update/windows-update-error-reference.md +++ b/windows/deployment/update/windows-update-error-reference.md @@ -45,8 +45,8 @@ This section lists the error codes for Microsoft Windows Update. | 0x80243002 | `WU_E_INSTALLATION_RESULTS_INVALID_DATA` | The results of download and installation could not be read from the registry due to an invalid data format. | | 0x80243003 | `WU_E_INSTALLATION_RESULTS_NOT_FOUND` | The results of download and installation are not available; the operation may have failed to start. | | 0x80243004 | `WU_E_TRAYICON_FAILURE` | A failure occurred when trying to create an icon in the taskbar notification area. | -| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; WU client UI modules may not be installed. | -| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of WU client UI exported functions. | +| 0x80243FFD | `WU_E_NON_UI_MODE` | Unable to show UI when in non-UI mode; Windows Update client UI modules may not be installed. | +| 0x80243FFE | `WU_E_WUCLTUI_UNSUPPORTED_VERSION` | Unsupported version of Windows Update client UI exported functions. | | 0x80243FFF | `WU_E_AUCLIENT_UNEXPECTED` | There was a user interface error not covered by another `WU_E_AUCLIENT_*` error code. | | 0x8024043D | `WU_E_SERVICEPROP_NOTAVAIL` | The requested service property is not available. | diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md index cd20de0565..ca12e829de 100644 --- a/windows/deployment/update/windows-update-overview.md +++ b/windows/deployment/update/windows-update-overview.md @@ -47,8 +47,8 @@ To understand the changes to the Windows Update architecture that UUP introduces > >Store apps aren't installed by USO, today they are separate. -- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. -- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Windows Update Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **Windows Update Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. - **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. Additional components include the following- diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md index e90960de49..a93c10f142 100644 --- a/windows/deployment/update/wufb-wsus.md +++ b/windows/deployment/update/wufb-wsus.md @@ -57,6 +57,9 @@ To help you better understand the scan source policy, see the default scan behav > [!TIP] > The only two relevant policies for where your updates come from are the specify scan source policy and whether or not you have configured a WSUS server. This should simplify the configuration options. +> [!NOTE] +> If you have devices configured for WSUS and do not configure the scan source policy for feature updates to come from Windows update or set any Windows Update for Business offering policies, then users who select "Check online for updates" on the Settings page may see the optional upgrade to Windows 11. We recommend configuring the scan source policy or a Windows Update for Business offering policy to prevent such. + ## Configure the scan sources The policy can be configured using the following two methods: diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index daf7fb1e1a..88fe7b97db 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -42,7 +42,7 @@ The following table describes some log files and how to use them for troubleshoo |setupact.log|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about setup actions during the installation.|Investigate post-upgrade related issues.| |setuperr.log|Same as setupact.log|Contains information about setup errors during the installation.|Review all errors encountered during the installation phase.| |miglog.xml|Post-upgrade (after OOBE):
    Windows\Panther|Contains information about what was migrated during the installation.|Identify post upgrade data migration issues.| -|BlueBox.log|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between setup.exe and Windows Update.|Use during WSUS and WU down-level failures or for 0xC1900107.| +|BlueBox.log|Down-Level:
    Windows\Logs\Mosetup|Contains information communication between setup.exe and Windows Update.|Use during WSUS and Windows Update down-level failures or for 0xC1900107.| |Supplemental rollback logs:
    Setupmem.dmp
    setupapi.dev.log
    Event logs (*.evtx)|$Windows.~BT\Sources\Rollback|Additional logs collected during rollback.|Setupmem.dmp: If OS bug checks during upgrade, setup will attempt to extract a mini-dump.
    Setupapi: Device install issues - 0x30018
    Event logs: Generic rollbacks (0xC1900101) or unexpected reboots.| ## Log entry structure diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index d2bec5e3f1..aa86279555 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -189,5 +189,5 @@ Also see the following sequential list of modern setup (mosetup) error codes wit - [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications) - [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro) - [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors) -- [Win 7 to Win 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020)) -- [Win 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3) +- [Windows 7 to Windows 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020)) +- [Windows 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 505f23ab18..96000210d8 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -298,7 +298,7 @@ Each rule name and its associated unique rule identifier are listed with a descr 39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8 - Matches a wim apply failure during wim extraction phases of setup. Will output the extension, path and error code. 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. + - Matches DPX expander failures in the down-level phase of update from Windows Update. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 959bb7e649..17a7749691 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -57,15 +57,15 @@ X = unsupported
    | **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | | **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | | **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | -| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (1703 - PC)
    (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (1703 - PC)
    (1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | -| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | -| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | +| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (1703 - PC)
    (1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png)
    (1703 - PC)
    (1709 - Microsoft Store for Business) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) | +| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | +| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png)
    (Microsoft Store for Business) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | > [!NOTE] > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 46541e996a..eb5de29561 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -30,7 +30,7 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi - **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options. - You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`. + You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`. - **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml new file mode 100644 index 0000000000..97e466d258 --- /dev/null +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -0,0 +1,64 @@ +- name: Windows Autopatch + href: index.yml + items: + - name: Overview + href: + items: + - name: What is Windows Autopatch? + href: overview/windows-autopatch-overview.md + - name: FAQ + href: overview/windows-autopatch-faq.yml + - name: Prepare + href: prepare/index.md + items: + - name: Prerequisites + href: prepare/windows-autopatch-prerequisites.md + - name: Configure your network + href: prepare/windows-autopatch-configure-network.md + - name: Enroll your tenant + href: prepare/windows-autopatch-enroll-tenant.md + - name: Fix issues found by the Readiness assessment tool + href: prepare/windows-autopatch-fix-issues.md + - name: Deploy + href: deploy/index.md + items: + - name: Add and verify admin contacts + href: deploy/windows-autopatch-admin-contacts.md + - name: Register your devices + href: deploy/windows-autopatch-register-devices.md + - name: Operate + href: operate/index.md + items: + - name: Update management + href: operate/windows-autopatch-update-management.md + items: + - name: Windows quality updates + href: operate/windows-autopatch-wqu-overview.md + items: + - name: Windows quality end user experience + href: operate/windows-autopatch-wqu-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-wqu-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-wqu-communications.md + - name: Conflicting and unsupported policies + href: operate/windows-autopatch-wqu-unsupported-policies.md + - name: Microsoft 365 Apps for enterprise + href: operate/windows-autopatch-microsoft-365-apps-enterprise.md + - name: Microsoft Edge + href: operate/windows-autopatch-edge.md + - name: Microsoft Teams + href: operate/windows-autopatch-teams.md + - name: Deregister a device + href: operate/windows-autopatch-deregister-devices.md + - name: Submit a support request + href: operate/windows-autopatch-support-request.md + - name: Reference + href: + items: + - name: Privacy + href: references/windows-autopatch-privacy.md + - name: Windows Autopatch preview addendum + href: references/windows-autopatch-preview-addendum.md + + diff --git a/windows/deployment/windows-autopatch/deploy/index.md b/windows/deployment/windows-autopatch/deploy/index.md new file mode 100644 index 0000000000..b91c6a7098 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/index.md @@ -0,0 +1,20 @@ +--- +title: Deploying with Windows Autopatch +description: Landing page for the deploy section +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Deploying with Windows Autopatch + +The following articles describe the steps you must take to deploy your devices with Windows Autopatch: + +1. [Add and verify admin contacts](windows-autopatch-admin-contacts.md) +1. [Register devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md new file mode 100644 index 0000000000..2ecfa99202 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md @@ -0,0 +1,47 @@ +--- +title: Add and verify admin contacts +description: This article explains how to add and verify admin contacts +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Add and verify admin contacts + +> [!IMPORTANT] +> The Admin contacts blade isn't available during public preview. However, we'll use the admin contacts provided by you during public preview onboarding. + +There are several ways that Windows Autopatch service communicates with customers. To streamline communication and ensure we're checking with the right people when you [submit a support request](../operate/windows-autopatch-support-request.md), you must provide a set of admin contacts when you onboard with Windows Autopatch. + +> [!IMPORTANT] +> You might have already added these contacts in the Microsoft Endpoint Manager admin center during the enrollment process. If so, take a moment now to double-check that the contact list is accurate, since the Windows Autopatch Service Engineering Team must be able to reach them if a severe incident occurs. + +You must have an admin contact for each specified area of focus. The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting your support request. Admin contacts should be the best person or group that can answer questions and make decisions for different [areas of focus](#area-of-focus). + +> [!IMPORTANT] +> Whoever you choose as admin contacts, they must have the knowledge and authority to make decisions for your Windows Autopatch environment. The Windows Autopatch Service Engineering Team will contact these admin contacts for questions involving support requests. + +## Area of focus + +Your admin contacts will receive notifications about support request updates and new messages. These areas include the following: + +| Area of focus | Description | +| ----- | ----- | +| Devices |

    • Device registration
    • Device health
    | +| Updates |
    • Windows quality updates
    • Microsoft 365 Apps for enterprise
    • Microsoft Teams updates
    • Microsoft Edge
    | + +**To add admin contacts:** + +1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Under **Tenant administration** in the **Windows Autopatch** section, select **Admin contacts**. +1. Select **+Add**. +1. Enter the contact details including name, email, phone number and preferred language. For a support ticket, the ticket's primary contact's preferred language will determine the language used for email communications. +1. Select an [Area of focus](#area-of-focus) and enter details of the contact's knowledge and authority in the specified area of focus. +1. Select **Save** to add the contact. +1. Repeat for each area of focus. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md new file mode 100644 index 0000000000..7dbed8bc97 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -0,0 +1,135 @@ +--- +title: Register your devices +description: This article details how to register devices in Autopatch +ms.date: 05/31/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: andredm7 +--- + +# Register your devices + +Before Microsoft can manage your devices in Windows Autopatch, you must have devices registered with the service. + +## Before you begin + +Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: + +- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) +- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) +- [Microsoft Edge updates](../operate/windows-autopatch-edge.md) +- [Microsoft Teams updates](../operate/windows-autopatch-teams.md) + +### About the use of an Azure AD group to register devices + +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service. + +> [!NOTE] +> All devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. + +#### Supported scenarios when nesting other Azure AD groups + +Windows Autopatch also supports the following Azure AD nested group scenarios: + +Azure AD groups synced up from: + +- On-premises Active Directory groups (Windows server type). +- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). + +> [!IMPORTANT] +> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. + +> [!TIP] +> You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. + +## Prerequisites + +To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: + +- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) +- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). +- Managed by Microsoft Endpoint Manager. + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements). + - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads: + - Windows updates policies + - Device configuration + - Office Click-to-run +- Last Intune device check-in completed within the last 28 days. + +For more details on each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article. + +## About the Ready and Not ready tabs + +Windows Autopatch introduces a new user interface to help IT admins manage devices and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. + +> [!IMPORTANT] +> The **Not ready** tab will not be available during the first week of the public preview. + +| Tab | Purpose | +| ----- | ----- | +| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. | +| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.

    Devices successfully registered and healthy don't appear in the Not ready tab. | + +## Built-in roles required for device registration + +A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices: + +- Azure AD Global Administrator +- Service Support Administrator +- Intune Service Administrator +- Modern Workplace Intune Administrator + +For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control). + +> [!NOTE] +> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles. + +## Details about the device registration process + +Registering your devices in Windows Autopatch does the following: + +1. Makes a record of devices in the service. +2. Assign devices into the ring groups and other groups required for software updates management. + +## Steps to register devices + +**To register devices into Windows Autopatch:** + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Windows Autopatch** from the left navigation menu. +3. Select **Devices**. +4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +5. Add either devices through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. + +Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them. + +> [!IMPORTANT] +> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview. + +## Other device lifecycle management scenarios + +There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch. + +### Device refresh + +If a device was previously registered into the Windows Autopatch service, but it needs to be reimaged, you must run one of the device provisioning processes available in Microsoft Endpoint Manager to reimage the device. + +The device will be rejoined to Azure AD (either Hybrid or Azure AD-only). Then, re-enrolled into Intune as well. No further action is required from you or the Windows Autopatch service, because the Azure AD device ID record of that device remains the same. + +### Device repair and hardware replacement + +If you need to repair a device that was previously registered into the Windows Autopatch service, by replacing the motherboard, non-removable network interface cards (NIC) or hard drive, you must re-register the device into the Windows Autopatch service, because a new hardware ID is generated when there are major hardware changes, such as: + +- SMBIOS UUID (motherboard) +- MAC address (non-removable NICs) +- OS hard drive's serial, model, manufacturer information + +When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device. + +> [!IMPORTANT] +> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even if it's the same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** group. This process guarantees the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service. diff --git a/windows/deployment/windows-autopatch/index.yml b/windows/deployment/windows-autopatch/index.yml new file mode 100644 index 0000000000..b99aeb0317 --- /dev/null +++ b/windows/deployment/windows-autopatch/index.yml @@ -0,0 +1,39 @@ +### YamlMime:Landing + +title: Windows Autopatch documentation # < 60 chars +summary: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # < 160 chars + +metadata: + title: Windows Autopatch documentation # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. # Required; article description that is displayed in search results. < 160 chars. + keywords: device, app, update, management + ms.service: w11 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.topic: landing-page # Required + author: tiaraquan #Required; your GitHub user alias, with correct capitalization. + ms.author: tiaraquan #Required; microsoft alias of author; optional team alias. + ms.date: 05/30/2022 #Required; mm/dd/yyyy format. + ms.custom: intro-hub-or-landing + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: About Windows Autopatch + linkLists: + - linkListType: overview + links: + - text: What is Windows Autopatch? + url: ./overview/windows-autopatch-overview.md + - text: Windows Autopatch FAQ + url: ./overview/windows-autopatch-faq.yml + + # Card (optional) + - title: Articles and blog posts + linkLists: + - linkListType: learn + links: + - text: "[Blog] Get current and stay current with Windows Autopatch" + url: https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839 + diff --git a/windows/deployment/windows-autopatch/media/release-process-timeline.png b/windows/deployment/windows-autopatch/media/release-process-timeline.png new file mode 100644 index 0000000000..9aab1d73cf Binary files /dev/null and b/windows/deployment/windows-autopatch/media/release-process-timeline.png differ diff --git a/windows/deployment/windows-autopatch/media/update-communications.png b/windows/deployment/windows-autopatch/media/update-communications.png new file mode 100644 index 0000000000..e4eceeccd6 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/update-communications.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-force-update.png b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png new file mode 100644 index 0000000000..147d61e752 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-force-update.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png new file mode 100644 index 0000000000..830f9f1428 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-typical-update-experience.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png new file mode 100644 index 0000000000..043e275574 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md new file mode 100644 index 0000000000..44954ce00f --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/index.md @@ -0,0 +1,25 @@ +--- +title: Operating with Windows Autopatch +description: Landing page for the operate section +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Operating with Windows Autopatch + +This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team: + +- [Update management](windows-autopatch-update-management.md) +- [Windows quality updates](windows-autopatch-wqu-overview.md) +- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md) +- [Microsoft Edge updates](windows-autopatch-edge.md) +- [Microsoft Teams updates](windows-autopatch-teams.md) +- [Deregister devices](windows-autopatch-deregister-devices.md) +- [Submit a support request](windows-autopatch-support-request.md) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md new file mode 100644 index 0000000000..bfb6b35250 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md @@ -0,0 +1,46 @@ +--- +title: Deregister a device +description: This article explains how to deregister devices +ms.date: 05/31/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: andredm7 +--- + +# Deregister a device + +To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device de-registration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity. + +**To deregister a device:** + +1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Select **Windows Autopatch** in the left navigation menu. +1. Select **Devices**. +1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister. +1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**. + +## Excluded devices + +When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to re-register the device into the service again, since the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group. + +> [!IMPORTANT] +> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues. + +If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices. + +## Hiding unregistered devices + +You can hide unregistered devices you don't expect to be remediated anytime soon. + +**To hide unregistered devices:** + +1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/). +1. Select **Windows Autopatch** in the left navigation menu. +1. Select **Devices**. +1. In the **Not ready** tab, select an unregistered device or a group of unregistered devices you want to hide then select **Status == All**. +1. Unselect the **Registration failed** status checkbox from the list. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md new file mode 100644 index 0000000000..4b27f96da4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md @@ -0,0 +1,42 @@ +--- +title: Microsoft Edge +description: This article explains how Microsoft Edge updates are managed in Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Microsoft Edge + +Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge. + +## Device eligibility + +For a device to be eligible for Microsoft Edge updates as a part of Windows Autopatch, they must meet the following criteria: + +- The device must be powered on and have an internet connection. +- There are no policy conflicts between Windows Autopatch policies and customer policies. +- The device must be able to access the required network endpoints to reach the Microsoft Edge update service. +- If Microsoft Edge is open, it must restart for the update process to complete. + +## Update release schedule + +Microsoft Edge will check for updates every 10 hours. Quality updates occur weekly by default. Feature updates occur automatically every four weeks and are rolled out [progressively](/deployedge/microsoft-edge-update-progressive-rollout) by the Microsoft Edge product group to ensure the best experience for customers. All users will see the update within a few days of the initial release. + +Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities. + +Devices in the Test device group receive feature updates from the [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks. + +## Pausing and resuming updates + +Currently, Windows Autopatch can't pause or resume Microsoft Edge updates. + +## Incidents and outages + +If you're experiencing issues related to Microsoft Edge updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md new file mode 100644 index 0000000000..2175c45a94 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -0,0 +1,113 @@ +--- +title: Microsoft 365 Apps for enterprise +description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Microsoft 365 Apps for enterprise + +## Service level objective + +Windows Autopatch aims to keep at least 90% of eligible devices on a [supported version](/deployoffice/overview-update-channels#support-duration-for-monthly-enterprise-channel) of the Monthly Enterprise Channel (MEC) for [Enterprise Standard Suite](/deployoffice/about-microsoft-365-apps) (Access, Excel, OneNote, Outlook, PowerPoint, and Word). Microsoft 365 Apps deployed on the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) are supported for two months. + +> [!NOTE] +> [Microsoft Teams](../operate/windows-autopatch-teams.md) uses a different update channel from the rest of Microsoft 365 Apps. + +## Device eligibility + +For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a part of Windows Autopatch, they must meet the following criteria: + +- Microsoft 365 Apps for enterprise 64-bit must be installed. +- There are no policy conflicts between Microsoft Autopatch policies and customer policies. +- The device must have checked into the Intune service in the last five days. + +## Update release schedule + +All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). + +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. + +## Update rings + +Since the Office CDN determines when devices are offered updates, Windows Autopatch doesn't use rings to control the rollout of these updates. + +## End user experience + +There are two parts of the end user experience that are configured by Windows Autopatch: + +- Behavior during updates +- Office client + +### Behavior during updates + +Updates can only be applied when Microsoft 365 Apps aren't running. Therefore, notifications usually appear because the user is working in a Microsoft 365 App, such as Microsoft Outlook, and hasn't closed it in several days. + +Once the device has downloaded the update, users are given notifications leading up to the deadline. They'll receive the following message in the notification area in Windows, reminding them that updates are ready to be applied. + +*Updates ready to be applied +Updates are required by your system admin are blocked by one or more apps. Office will restart at mm/dd/yyyy h:mm AM/PM to apply updates.* + +Alternatively, users can select **Update now** to apply the updates. The user is then prompted to close all open Office programs. After the updates are applied, the message disappears. + +When the deadline arrives and the updates still aren't applied, users will: + +1. See a dialog box that warns them that they have 15 minutes before the updates are applied. +1. Have 15 minutes to save and close any work. + +When the countdown reaches 00∶00, any open Office programs are closed, and the updates are applied. + +### Office client app configuration + +To ensure that users are receiving automatic updates, Windows Autopatch prevents the user from opting out of automatic updates. + +## Update controls + +If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might pause the update by forcing Microsoft 365 Apps to stay on a specific version. + +Windows Autopatch will either: + +- Choose to stay on the previous version for rings that haven't received the update yet. +- Force all devices to roll back to the previous version. + +> [!NOTE] +> Windows Autopatch doesn't currently allow customers to force their devices to stay on a previous version or rollback to a previous version. + +Since quality updates are bundled together into a single release in the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview), we can't roll back only a portion of the update for Microsoft 365 Apps for enterprise. + +## Conflicting and unsupported policies + +Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed. + +### Update policies + +Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management. + +| Update setting | Value | Usage reason | +| ----- | ----- | ----- | +| Set updates to occur automatically | Enabled | Enable automatic updates | +| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch | +| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch | +| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs | +| Set a deadline by when updates must be applied | 3 | Update deadline | +| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated | +| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates | + +## Microsoft 365 Apps servicing profiles + +A service profile takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. + +However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. + +## Incidents and outages + +If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. + +If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md new file mode 100644 index 0000000000..06eeae4e4d --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -0,0 +1,71 @@ +--- +title: Submit a support request +description: Details how to contact the Windows Autopatch Service Engineering Team and submit support requests +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Submit a support request + +> [!IMPORTANT] +> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with troubleshooting issues. + +You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. + +## Submit a new support request + +Support requests are triaged and responded to as they're received. + +**To submit a new support request:** + +1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant administration** menu. +1. In the **Windows Autopatch** section, select **Service requests**. +1. In the **Service requests** section, select **+ New support request**. +1. Enter your question(s) and/or a description of the problem. +1. Review all the information you provided for accuracy. +1. When you're ready, select **Create**. + +## Manage an active support request + +The primary contact for the support request will receive email notifications when a case is created, assigned to a service engineer to investigate, and mitigated. If, at any point, you have a question about the case, the best way to get in touch is to reply directly to one of those emails. If we have questions about your request or need more details, we'll email the primary contact listed on the support requests. + +## View all your active support requests + +You can see the summary status of all your support requests. At any time, you can use the portal to see all active support requests in the last six months. + +**To view all your active support requests:** + +1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. +1. In the **Windows Autopatch** section, select **Service request**. +1. From this view, you can export the summary view or select any case to view the details. + +## Edit support request details + +You can edit support request details, for example, updating the primary case contact. + +**To edit support request details:** + +1. Sign into [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) and navigate to the **Tenant Administration** menu. +1. In the **Windows Autopatch** section, select **Service request**. +1. In the **Service requests** section, use the search bar or filters to find the case you want to edit. +1. Select the case to open the request's details. +1. Scroll to the bottom of the request details and select **Edit**. +1. Update the editable information, add attachments to the case, or add a note for the Windows Autopatch Service Engineering Team. +1. Select **Save**. + +Once a support request is mitigated, it can no longer be edited. If a request has been mitigated for less than 24 hours, you'll see the option to reactivate instead of edit. Once reactivated, you can again edit the request. + +## Microsoft FastTrack + +[Microsoft FastTrack](https://www.microsoft.com/en-us/fasttrack) offers Microsoft 365 deployment guidance for customers with 150 or more licenses of an eligible subscription at no additional cost. FastTrack Specialists can help customers work through the Windows Autopatch technical prerequisites described in the [FAQ](../overview/windows-autopatch-faq.yml). For more information, visit the [FastTrack website](https://www.microsoft.com/en-ca/fasttrack?rtc=1). + +Customers who need help with Microsoft 365 workloads can sign in to https://fasttrack.microsoft.com/ with a valid Azure ID and submit a Request for Assistance. + + Contact your Microsoft account team if you need additional assistance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md new file mode 100644 index 0000000000..8cf360c310 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-teams.md @@ -0,0 +1,53 @@ +--- +title: Microsoft Teams +description: This article explains how Microsoft Teams updates are managed in Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Microsoft Teams + +Windows Autopatch uses the [standard automatic update channel](/microsoftteams/teams-client-update#can-admins-deploy-updates-instead-of-teams-auto-updating) for Microsoft Teams. + +## Device eligibility + +For a device to be eligible for automated Teams updates as a part of Windows Autopatch they must meet the following criteria: + +- Microsoft Teams must be installed on the device. +- The user must be signed into both the device and Teams. +- The device must be able to access the Teams update service [network endpoints](../prepare/windows-autopatch-configure-network.md). +- Once the update is downloaded, the user must be logged in with the device in an idle state for at least 40 minutes to ensure that Teams can automatically update. + +## Update release schedule + +The Teams desktop client updates are released once a month for all users, and twice a month for members of the Technology Adoption Program (TAP). + +Updates undergo vigorous internal testing and are first released to members of TAP for validation. The update usually takes place on a Monday. If a critical update is needed, Teams will bypass this schedule and release the update as soon as it's available. + +## End user experience + +Teams will check for updates every few hours behind the scenes, download the updates, and then will wait for the computer to be idle for at least 40 minutes before automatically installing the update. + +When an update is available, the following are required to be able to download the update: + +- The user must be signed into both the device and Teams. +- The device must have an internet connection. +- The device must be able to access the required network endpoints to reach the Teams update service. + +> [!NOTE] +> If a user is on a version of Teams that is out of date, Teams will force the user to update prior to allowing them to use the application. + +## Pausing and resuming updates + +Windows Autopatch can't pause or resume Teams updates. + +## Incidents and outages + +If you're experiencing issues related to Teams updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md new file mode 100644 index 0000000000..ac151e3512 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -0,0 +1,69 @@ +--- +title: Update management +description: This article provides an overview of how updates are handled in Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: overview +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Update management + +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates. + +## Update types + +| Update type | Description | +| ----- | ----- | +| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | +| Anti-virus definition | Updated with each scan. | +| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). | +| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | +| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | + +## Update rings + +> [!NOTE] +> Update rings only apply to Windows quality updates. + +During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings: + +1. Modern Workplace Devices - Test +2. Modern Workplace Devices - First +3. Modern Workplace Devices - Fast +4. Modern Workplace Devices - Broad + +Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area. + +When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release. + +> [!NOTE] +> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch. + +| Ring | Default device count | Description +| ----- | ----- | ----- | +| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:

    • 0–500 devices: minimum one device
    • 500–5000 devices: minimum five devices
    • 5000+ devices: min 50 devices
    Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | 1% | The First ring is the first group of production users to receive a change.

    This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.

    Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| +| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

    The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

    | +| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| + +## Moving devices between rings + +If you want to move separate devices to different rings, repeat the following steps for each device: + +1. In Microsoft Endpoint Manager, select **Devices** in the left pane. +2. In the **Windows Autopatch** section, select **Devices**. +3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +4. Select **Device actions** from the menu. +5. Select **Assign device to ring**. A fly-in opens. +6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. + +When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. + +> [!NOTE] +> You can't move devices to other rings if they're in the "error" or "pending" registration state.

    If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md new file mode 100644 index 0000000000..f4eab55834 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md @@ -0,0 +1,45 @@ +--- +title: Windows quality update communications +description: This article explains Windows quality update communications +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows quality update communications + +There are three categories of communication that are sent out during a Windows quality update: + +- [Standard communications](#standard-communications) +- [Communications during release](#communications-during-release) +- [Incident communications](#incident-communications) + +Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication. + +:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline"::: + +## Standard communications + +| Communication | Location | Timing | Description | +| ----- | ----- | ----- | ----- | +| Release schedule |

    • Message center
    • Messages blade
    • Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
        • | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. | +| Release start | Same as release schedule | The second Tuesday of every month | Notification that the update is now being released into your environment. | +| Release summary | Same as release schedule | The fourth Tuesday of every month | Informs you of the percentage of eligible devices that were patched during the release. | + +## Communications during release + +The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the Microsoft Endpoint Manager portal shortly after Autopatch becomes aware of the new information. + +There are some circumstances where Autopatch will need to change the release schedule based on new information. + +For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information. + +## Incident communications + +Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md new file mode 100644 index 0000000000..2636932319 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -0,0 +1,76 @@ +--- +title: End user experience +description: This article explains the Windows quality update end user experience +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# End user experience + +Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours. + +## User notifications + +In this section we'll review what an end user would see in the following three scenarios: + +1. Typical update experience +2. Quality update deadline forces an update +3. Quality update grace period + +### Typical update experience + +The Windows 10 quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update. + +Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either: + +- Restart immediately to install the updates +- Schedule the installation, or +- Snooze (the device will attempt to install outside of [active hours](#servicing-window). + +In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. + +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: + +### Quality update deadline forces an update + +In the following example, the user: + +- Ignores the notification and selects snooze. +- Further notifications are received, which the user ignores. +- The device is unable to install the updates outside of active hours. + +The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. + +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: + +### Quality update grace period + +In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on. + +Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. + +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: + +## Servicing window + +Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies: + +| Policy | Description | +| ----- | ----- | +| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. | +| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | + +> [!IMPORTANT] +> Both policies must be deployed for them to work as expected. + +A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible. + +> [!IMPORTANT] +> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule, and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management:
        • [Update/ScheduledInstallDay](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday)
        • [Update/ScheduledInstallEveryWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek)
        • [Update/ScheduledInstallFirstWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek)
        • [Update/ScheduledInstallFourthWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek)
        • [Update/ScheduledInstallSecondWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek)
        • [Update/ScheduledInstallThirdWeek](/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek)
        • [Update/ScheduledInstallTime](/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime)
        diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md new file mode 100644 index 0000000000..2eebfd6f24 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -0,0 +1,76 @@ +--- +title: Windows quality updates +description: This article explains how Windows quality updates are managed in Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows quality updates + +## Service level objective + +Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. + +## Device eligibility + +For a device to be eligible for Windows quality updates as a part of Windows Autopatch they must meet the following criteria: + +| Criteria | Description | +| ----- | ----- | +| Activity | Devices must have at least six hours of usage, with at least two hours being continuous. | +| Intune sync | Devices must have checked with Intune within the last five days. | +| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. | +| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. | +| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). | +| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). | +| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). | +| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) | + +## Windows quality update releases + +Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. + +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: + +| Policy | Description | +| ----- | ----- | +| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. | +| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | +| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | + +> [!IMPORTANT] +> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). + +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). + +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: + +## Expedited releases + +Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. + +When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update as quickly. + +| Release type | Group | Deferral | Deadline | Grace period | +| ----- | ----- | ----- | ----- | ----- | +| Standard release | Test

        First

        Fast

        Broad | 0

        1

        6

        9 | 0

        2

        2

        5 | 0

        2

        2

        2 | +| Expedited release | All devices | 0 | 1 | 1 | + +> [!NOTE] +> Windows Autopatch doesn't allow customers to request expedited releases. + +## Pausing and resuming a release + +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release. + +If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed. + +> [!NOTE] +> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md new file mode 100644 index 0000000000..cf052fbba4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -0,0 +1,61 @@ +--- +title: Windows quality update signals +description: This article explains the Windows quality update signals +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows quality update signals + +Windows Autopatch monitors a specific set of signals and aims to release quality updates both quickly and safely. The service doesn't comprehensively monitor every use case in Windows. + +If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release. + +## Pre-release signals + +Before being released to the Test ring, Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. + +| Text | Text | +| ----- | ----- | +| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. | +| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. | +| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. | + +## Early signals + +The update is released to the Test ring on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several new Microsoft internal signals that have become available to the service that are monitored throughout the release. + +| Device reliability signal | Description | Microsoft will | +| ----- | ----- | ----- | +| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. |

        • Consider expediting the release
        • Update customers with a risk profile
        +| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. |
        • Determine if a customer advisory is necessary
        • Pause the release if there's significant user impact
        | +| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary | + +## Device reliability signals + +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. + +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. + +As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. + +Autopatch monitors the following reliability signals: + +| Device reliability signal | Description | +| ----- | ----- | +| Blue screens | These events are highly disruptive to end users so are closely watched. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | +| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | + +When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch is able to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers. + +Once your tenant reaches 500 devices, Windows Autopatch starts generating recommendations specific to your devices. Based on this information, the service starts developing insights specific to your tenant allowing a customized response to what's happening in your environment. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md new file mode 100644 index 0000000000..7495f42487 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md @@ -0,0 +1,39 @@ +--- +title: Conflicting and unsupported policies +description: This article explains the conflicting and unsupported policies in Windows quality updates +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Conflicting and unsupported policies + +Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed. + +## Update policies + +Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management. + +| Allowed policy | Policy CSP | Description | +| ----- | ----- | ----- | +| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | Update/ActiveHoursStart | This policy controls the end of the protected window where devices won't reboot.

        Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.

        Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. | +| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range.

        This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. | + +## Group policy + +Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management: + +`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState` + +## Incidents and outages + +If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. + +If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml new file mode 100644 index 0000000000..2c496594e3 --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -0,0 +1,106 @@ +### YamlMime:FAQ +metadata: + title: Windows Autopatch - Frequently Asked Questions (FAQ) + description: Answers to frequently asked questions about Windows Autopatch. + ms.prod: w11 + ms.topic: faq + ms.date: 06/02/2022 + audience: itpro + ms.localizationpriority: medium + manager: dougeby + author: tiaraquan + ms.author: tiaraquan + ms.reviwer: hathind +title: Frequently Asked Questions about Windows Autopatch +summary: This article answers frequently asked questions about Windows Autopatch. +sections: + - name: General + questions: + - question: What Windows versions are supported? + answer: | + Windows Autopatch works with all [supported versions of Windows 10 and Windows 11](/windows/release-health/supported-versions-windows-client) Enterprise and Professional editions. + - question: What is the difference between Windows Update for Business and Windows Autopatch? + answer: | + Windows Autopatch is a service that removes the need for organizations to plan and operate the update process. Windows Autopatch moves the burden from your IT to Microsoft. Windows Autopatch uses [Windows Update for Business](/windows/deployment/update/deployment-service-overview) and other service components to update devices. Both are part of Windows Enterprise E3. + - question: Is Windows 365 for Enterprise supported with Windows Autopatch? + answer: | + Windows Autopatch supports Windows 365 for Enterprise. Windows 365 for Business isn't supported. + - question: Does Windows Autopatch support Windows Education (A3) or Windows Front Line Worker (F3) licensing? + answer: | + Autopatch isn't available for 'A' or 'F' series licensing. + - question: Will Windows Autopatch support local domain join Windows 10? + answer: | + Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid). + - question: Will Windows Autopatch be available for state and local government customers? + answer: | + Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. + - name: Requirements + questions: + - question: What are the prerequisites for Windows Autopatch? + answer: | + - [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client) + - [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) + - [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) + - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) + - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements) + - [Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010) + - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune) + - question: What are the licensing requirements for Windows Autopatch? + answer: | + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) + - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) + - question: Are there hardware requirements for Windows Autopatch? + answer: | + No, Windows Autopatch doesn't require any specific hardware. However, general hardware requirements for updates are still applicable. For example, to deliver Windows 11 to your Autopatch devices they must meet [specific hardware requirements](/windows/whats-new/windows-11-requirements). Windows devices must be supported by your hardware OEM. + - name: Device registration + questions: + - question: Can Autopatch customers individually approve or deny devices? + answer: | + No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported. + - name: Update Management + questions: + - question: What systems does Windows Autopatch update? + answer: | + - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. + - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. + - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. + - question: What does Windows Autopatch do to ensure updates are done successfully? + answer: For information about the Microsoft Admin Center, see [Manage third-party app subscriptions for your organization](/microsoft-365/commerce/manage-saas-apps). + - question: What does Windows Autopatch do to ensure updates are done successfully? + answer: | + For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + - question: What happens if there's an issue with an update? + answer: | + Autopatch relies on the following capabilities to help resolve update issues: + - Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). + - Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls). + - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? + answer: | + For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. + - question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch? + answer: | + The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable. + - question: Can you customize the scheduling of an update rollout to only install on certain days and times? + answer: | + No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. + - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + answer: | + Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? + answer: | + The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. + - name: Support + questions: + - question: What support is available for customers who need help with onboarding to Windows Autopatch? + answer: | + The FastTrack Center is the primary mode of support for customers who need assistance from Microsoft to meet the pre-requisites (such as Intune and Azure or Hybrid AD) for onboarding to Windows Autopatch. For more information, see [Microsoft FastTrack for Windows Autopatch](../operate/windows-autopatch-support-request.md#microsoft-fasttrack). When you've onboarded with Windows Autopatch, you can [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team. + - name: Other + questions: + - question: Are there Autopatch specific APIs or PowerShell scripts available? + answer: | + Programmatic access to Autopatch isn't currently available. +additionalContent: | + ## Additional Content + [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch \ No newline at end of file diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md new file mode 100644 index 0000000000..f2bb7d8615 --- /dev/null +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md @@ -0,0 +1,91 @@ +--- +title: What is Windows Autopatch? (preview) +description: Details what the service is and shortcuts to articles +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# What is Windows Autopatch? (preview) + +> [!IMPORTANT] +> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch). + +Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. + +## Unique to Windows Autopatch + +Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today: + +- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices. +- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration. +- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value. +- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud. +- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started. +- **Minimize end user disruption**: By releasing in sequential update rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized. + +Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks. + +## Update management + +The goal of Windows Autopatch is to deliver software updates to registered devices; the service frees up IT and minimizes disruptions to your end users. Once a device is registered with the service, Windows Autopatch takes on several areas of management: + +| Management area | Service level objective | +| ----- | ----- | +| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. | +| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). | +| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. | +| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. | + +For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area. + +To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance. + +While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service. + +## Messages + +To stay informed of upcoming changes, including new and changed features, planned maintenance, or other important announcements, navigate to [Microsoft 365 admin center > Message center](https://admin.microsoft.com/adminportal/home#/MessageCenter). + +## Accessibility + +Microsoft remains committed to the security of your data and the [accessibility](https://www.microsoft.com/trust-center/compliance/accessibility) of our services. For more information, see the [Microsoft Trust Center](https://www.microsoft.com/trust-center) and the [Office Accessibility Center](https://support.office.com/article/ecab0fcf-d143-4fe8-a2ff-6cd596bddc6d). + +## Need more details? + +### Prepare + +The following articles describe the mandatory steps to prepare for enrollment, including: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Configure your network](../prepare/windows-autopatch-configure-network.md) +- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md) +- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) + +### Deploy + +Once you're ready to enroll, this section includes the following articles: + +- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) +- [Register your devices](../deploy/windows-autopatch-register-devices.md) + +### Operate + +This section includes the following information about your day-to-day life with the service: + +- [Update management](../operate/windows-autopatch-update-management.md) +- [Submit a support request](../operate/windows-autopatch-support-request.md) +- [Deregister a device](../operate/windows-autopatch-deregister-devices.md) + +### References + +This section includes the following articles: + +- [Privacy](../references/windows-autopatch-privacy.md) +- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md) diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md new file mode 100644 index 0000000000..71ba6f2d78 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/index.md @@ -0,0 +1,22 @@ +--- +title: Preparing for Windows Autopatch +description: Landing page for the prepare section +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Preparing for Windows Autopatch + +The following articles describe the steps you must take to onboard with Windows Autopatch: + +1. [Review the prerequisites](windows-autopatch-prerequisites.md) +1. [Configure your network](windows-autopatch-configure-network.md) +1. [Enroll your tenant](windows-autopatch-enroll-tenant.md) +1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md new file mode 100644 index 0000000000..a1fb48b746 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md @@ -0,0 +1,49 @@ +--- +title: Configure your network +description: This article details the network configurations needed for Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Configure your network + +## Proxy configuration + +Windows Autopatch is a cloud service. There's a set of endpoints that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. + +You can optimize their network by sending all trusted Microsoft 365 network requests directly through their firewall or proxy to bypass authentication, and all additional packet-level inspection or processing. This process reduces latency and your perimeter capacity requirements. + +## Proxy requirements + +The proxy or firewall must support TLS 1.2. Otherwise, you might have to disable protocol detection. + +### Required Windows Autopatch endpoints for proxy and firewall rules + +The following URLs must be on the allowed list of your proxy and firewall so that Windows Autopatch devices can communicate with Microsoft services. + +The Windows Autopatch URL is used for anything our service runs on the customer API. You must ensure this URL is always accessible on your corporate network. + +| Microsoft service | URLs required on allowlist | +| ----- | ----- | +| Windows Autopatch |

        • mmdcustomer.microsoft.com
        • mmdls.microsoft.com
        | + +### Required Microsoft product endpoints + +There are URLs from several Microsoft products that must be in the allowed list so that Windows Autopatch devices can communicate with those Microsoft services. Use the links to see the complete list for each product. + +| Microsoft service | URLs required on Allowlist | +| ----- | ----- | +| Windows 10/11 Enterprise including Windows Update for Business | [Manage connection endpoints for Windows 10 Enterprise, version 1909](/windows/privacy/manage-windows-1909-endpoints)

        [Manage connection endpoints for Windows 10 Enterprise, version 2004](/windows/privacy/manage-windows-2004-endpoints)

        [Connection endpoints for Windows 10 Enterprise, version 20H2](/windows/privacy/manage-windows-20h2-endpoints)

        [Manage connection endpoints for Windows 10 Enterprise, version 21H1](/windows/privacy/manage-windows-21h1-endpoints)

        [Manage connection endpoints for Windows 10 Enterprise, version 21H2](/windows/privacy/manage-windows-21h2-endpoints)

        [Manage connection endpoints for Windows 11 Enterprise](/windows/privacy/manage-windows-11-endpoints)

        | +| Microsoft 365 | [Microsoft 365 URL and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide&preserve-view=true) | +| Azure Active Directory | [Hybrid identity required ports and protocols](/azure/active-directory/hybrid/reference-connect-ports)

        [Active Directory and Active Directory Domain Services Port Requirements](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10))

        | +| Microsoft Intune | [Intune network configuration requirements](/intune/network-bandwidth-use)

        [Network endpoints for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

        +| Microsoft Edge | [Allowlist for Microsoft Edge Endpoints](/deployedge/microsoft-edge-security-endpoints) | +| Microsoft Teams | [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) | +| Windows Update for Business (WUfB) | [Windows Update for Business firewall and proxy requirements](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md new file mode 100644 index 0000000000..c594bece89 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -0,0 +1,108 @@ +--- +title: Enroll your tenant +description: This article details how to enroll your tenant +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Enroll your tenant + +Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time. + +The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch. + +## Step 1: Review all prerequisites + +To start using the Windows Autopatch service, ensure you meet the [Windows Autopatch prerequisites](../prepare/windows-autopatch-prerequisites.md). + +## Step 2: Run the Readiness assessment tool + +> [!IMPORTANT] +> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again. + +The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements). + +**To access and run the Readiness assessment tool:** + +> [!IMPORTANT] +> You must be a Global Administrator to enroll your tenant. + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**. + +> [!IMPORTANT] +> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md). + +A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). + +The Readiness assessment tool checks the following settings: + +### Microsoft Intune settings + +The following are the Microsoft Intune settings: + +| Check | Description | +| ----- | ----- | +| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. | +| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. | + +### Azure Active Directory settings + +The following are the Azure Active Directory settings: + +| Check | Description | +| ----- | ----- | +| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.

        Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). | +| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. | +| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. | +| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | + +For each check, the tool will report one of four possible results: + +| Result | Meaning | +| ----- | ----- | +| Ready | No action is required before completing enrollment. | +| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.

        You can complete enrollment, but you must fix these issues before you deploy your first device. | +| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | + +### Seeing issues with your tenant? + +If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate. + +### Delete data collected from the Readiness assessment tool + +Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool. + +> [!NOTE] +> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data. + +**To delete the data we collect:** + +1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Navigate to Windows Autopatch > **Tenant enrollment**. +3. Select **Delete all data**. + +## Step 3: Enroll your tenant + +> [!IMPORTANT] +> You must be a Global Administrator to enroll your tenant. + +Once the Readiness assessment tool provides you with a "Ready" result, you're ready to enroll! + +**To enroll your tenant:** + +Within the Readiness assessment tool, you'll now see the **Enroll** button. By selecting **Enroll**, you'll kick off the enrollment of your tenant to the Windows Autopatch service. During the enrollment workflow, you'll see the following: + +- Consent workflow to manage your tenant. +- Provide Windows Autopatch with IT admin contacts. +- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service. + +Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md). diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md new file mode 100644 index 0000000000..b9f8c7b372 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -0,0 +1,85 @@ +--- +title: Fix issues found by the Readiness assessment tool +description: This article details how to fix issues found by the Readiness assessment tool +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Fix issues found by the Readiness assessment tool + +For each check, the tool will report one of four possible results: + +| Result | Meaning | +| ----- | ----- | +| Ready | No action is required before completing enrollment. | +| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.

        You can complete enrollment, but you must fix these issues before you deploy your first device. | +| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. | +| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. | + +> [!NOTE] +> The results reported by this tool reflect the status of your settings only at the time that you ran it. If you make changes later to policies in Microsoft Intune, Azure Active Directory (AD), or Microsoft 365, items that were "Ready" can become "Not ready". To avoid problems with Windows Autopatch operations, review the specific settings described in this article before you change any policies. + +## Microsoft Intune settings + +You can access Intune settings at the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). + +### Unlicensed admins + +This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. + +| Result | Meaning | +| ----- | ----- | +| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

        For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | + +### Update rings for Windows 10 or later + +Your "Windows 10 update ring" policy in Intune must not target any Windows Autopatch devices. + +| Result | Meaning | +| ----- | ----- | +| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.

        After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).

        | +| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch. This advisory is flagging an action you should take after enrolling into the service:
        1. Make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
        2. If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also exclude the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).

        For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). | + +## Azure Active Directory settings + +You can access Azure Active Directory (AD) settings in the [Azure portal](https://portal.azure.com/). + +### Conditional access policies + +Conditional access policies must not prevent Windows Autopatch from connecting to your tenant. + +| Result | Meaning | +| ----- | ----- | +| Advisory | You have at least one conditional access policy that targets all users or at least one conditional access policy set as required for multi-factor authentication. These policies could prevent Windows Autopatch from managing the Windows Autopatch service.

        During enrollment, we'll attempt to exclude Windows Autopatch service accounts from relevant conditional access policies and apply new conditional access policies to restrict access to these accounts. However, if we're unsuccessful, this can cause errors during your enrollment experience.

        For best practice, [create an assignment that targets a specific Azure Active Directory (AD) group](/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) that doesn't include Windows Autopatch service accounts.

        | +| Error | The Intune Administrator role doesn't have sufficient permissions for this check. You'll also need to have these Azure Active Directory (AD) roles assigned to run this check:
        • Security Reader
        • Security Administrator
        • Conditional Access Administrator
        • Global Reader
        • Devices Administrator
        | + +### Licenses + +Windows Autopatch requires the following licenses: + +| Result | Meaning | +| ----- | ----- | +| Not ready | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium, and Microsoft Intune are required. For more information, see [more about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). | + +### Windows Autopatch service accounts + +Certain account names could conflict with account names created by Windows Autopatch. + +| Result | Meaning | +| ----- | ----- | +| Not ready | You have at least one account name that will conflict with account names created by Windows Autopatch. Work with your Microsoft account representative to exclude these account names. We don't list the account names publicly to minimize security risk. | + +### Security defaults + +Security defaults in Azure Active Directory (AD) will prevent Windows Autopatch from managing your devices. + +| Result | Meaning | +| ----- | ----- | +| Not ready | You have Security defaults turned on. Turn off Security defaults and set up conditional access policies. For more information, see [Common conditional access policies](/azure/active-directory/conditional-access/concept-conditional-access-policy-common). | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md new file mode 100644 index 0000000000..3d918f7629 --- /dev/null +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -0,0 +1,51 @@ +--- +title: Prerequisites +description: This article details the prerequisites needed for Windows Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Prerequisites + +Getting started with Windows Autopatch has been designed to be easy. This article outlines the infrastructure requirements you must meet to assure success with Windows Autopatch. + +| Area | Prerequisite details | +| ----- | ----- | +| Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).

        For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).

        For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | +| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.

        For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). | +| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.

        • For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
        • For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
        | +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.

        At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.

        Other device management prerequisites include:

        • Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
        • Devices managed only by Microsoft Endpoint Configuration Manager aren't supported.
        • Devices must be in communication with Microsoft Intune in the last 28 days. Otherwise, the devices won't be registered with Autopatch.
        • Devices must be connected to the internet.

        For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). | +| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | + +## More about licenses + +Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch: + +- Windows 10/11 Enterprise E3 +- Windows 10/11 Enterprise E5 +- Microsoft 365 E3 +- Microsoft 365 E5 + +The following Windows 64-bit editions are required for Windows Autopatch: + +- Windows 10/11 Pro +- Windows 10/11 Enterprise +- Windows 10/11 Pro for Workstations + +## Co-management requirements + +Windows Autopatch fully supports co-management. The following co-management requirements apply: + +- Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). +- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview). +- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths). +- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. +- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. +- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md new file mode 100644 index 0000000000..b81c723344 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md @@ -0,0 +1,33 @@ +--- +title: Windows Autopatch Preview Addendum +description: This article explains the Autopatch preview addendum +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Windows Autopatch Preview Addendum + +**This Windows Autopatch - Preview Addendum ("Addendum") to the Microsoft Product Terms** (as provided at: (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**"). + +## Background + +Microsoft desires to preview the Windows Autopatch service it is developing ("**Windows Autopatch Preview**") in order to evaluate it. Customer would like to particulate this Windows Autopatch Preview under the terms of the Product Terms and this Addendum. Windows Autopatch Preview consists of features and services that are in preview, beta, or other pre-release form. Windows Autopatch Preview is subject to the "preview" terms set forth in the Online Service sections of Product Terms. + +For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows: + +## Agreement + +### Definitions + +Capitalized terms used but not defined herein have the meanings given in the Product Terms. + +### Data Handling + +Windows Autopatch Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Windows Autopatch Preview, only the Product Terms and [DPA provisions)](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Windows Autopatch Preview apply to that data. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md new file mode 100644 index 0000000000..ec15b0ace9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -0,0 +1,120 @@ +--- +title: Privacy +description: This article provides details about the data platform and privacy compliance for Autopatch +ms.date: 05/30/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Privacy + +Windows Autopatch is a cloud service for enterprise customers designed to keep employees' Windows devices updated. This article provides details about data platform and privacy compliance for Windows Autopatch. + +## Windows Autopatch data sources and purpose + +Windows Autopatch provides its service to enterprise customers, and properly administers customers' enrolled devices by using data from various sources. + +The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft Windows 10/11. The sources provide a comprehensive view of the devices that Windows Autopatch manages. The service also uses these Microsoft services to enable Windows Autopatch to provide IT as a Service (ITaaS) capabilities: + +| Data source | Purpose | +| ------ | ------ | +| [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. | +| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. | +| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager:

        • [Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.
        • [Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.
        +| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. | +| [Microsoft 365 Apps for enterprise](/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps. | + +## Windows Autopatch data process and storage + +Windows Autopatch relies on data from multiple Microsoft products and services to provide its service to enterprise customers. + +To protect and maintain enrolled devices, we process and copy data from these services to Windows Autopatch. When we process data, we follow the documented directions you provide as referenced in the [Online Services Terms](https://www.microsoft.com/licensing/product-licensing/products) and [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). + +Processor duties of Windows Autopatch include ensuring appropriate confidentiality, security, and resilience. Windows Autopatch employs additional privacy and security measures to ensure proper handling of personal identifiable data. + +## Windows Autopatch data storage and staff location + +Windows Autopatch stores its data in the Azure data centers in the United States. + +Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). + +Windows Autopatch Service Engineering Team is in the United States, India and Romania. + +## Microsoft Windows 10/11 diagnostic data + +Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, troubleshoot problems, and make product improvements. + +The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection. + +The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. While this will mean the diagnostic level will change to **Optional**, Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). + +Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data. + +For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. + +## Microsoft Windows Update for Business + +Microsoft Windows Update for Business uses data from Windows diagnostics to analyze update status and failures. Windows Autopatch uses this data and uses it to mitigate, and resolve problems to ensure that all registered devices are up to date based on a predefined update cadence. + +## Microsft Azure Active Directory + +Identifying data used by Windows Autopatch is stored by Azure Active Directory (Azure AD) in a geographical location. The geographical location is based on the location provided by the organization upon subscribing to Microsoft online services, such as Microsoft Apps for Enterprise and Azure. For more information on where your Azure AD data is located, see [Azure Active Directory - Where is your data located?](https://msit.powerbi.com/view?r=eyJrIjoiODdjOWViZDctMWRhZS00ODUzLWI4MmQtNWM5NjBkZTBkNjFlIiwidCI6IjcyZjk4OGJmLTg2ZjEtNDFhZi05MWFiLTJkN2NkMDExZGI0NyIsImMiOjV9) + +## Microsoft Intune + +Microsoft Intune collects, processes, and shares data to Windows Autopatch to support business operations and services. For more information about the data collected in Intune, see [Data collection in Intune](/mem/intune/protect/privacy-data-collect) + +For more information on Microsoft Intune data locations, see [Where your Microsoft 365 customer data is stored](/microsoft-365/enterprise/o365-data-locations). Intune respects the storage location selections made by the administrator for customer data. + +## Microsoft 365 Apps for enterprise + +Microsoft 365 Apps for enterprise collects and shares data with Windows Autopatch to ensure those apps are up to date with the latest version. These updates are based on predefined update channels managed by Windows Autopatch. For more information on Microsoft 365 Apps's data collection and storage locations, see [Microsoft Defender for Endpoint data storage and privacy](/microsoft-365/security/defender-endpoint/data-storage-privacy#what-data-does-microsoft-defender-atp-collect). + +## Major data change notification + +Windows Autopatch follows a change control process as outlined in our service communication framework. + +We notify customers through the Microsoft 365 message center, and the Windows Autopatch admin center of both security incidents and major changes to the service. + +Changes to the types of data gathered and where it's stored are considered a material change. We'll provide a minimum of 30 days advanced notice of this change as it's standard practice for Microsoft 365 products and services. + +## Data subject requests + +Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data. + +These rights include: + +- Obtaining copies of personal data +- Requesting corrections to it +- Restricting the processing of it +- Deleting it +- Receiving it in an electronic format so it can be moved to another controller + +For more general information about Data Subject Requests (DSRs), see [Data Subject Requests and the GDPR and CCPA](/compliance/regulatory/gdpr-data-subject-requests). + +To exercise data subject requests on data collected by the Windows Autopatch case management system, see the following data subject requests: + +| Data subject requests | Description | +| ------ | ------ | +| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).

        Provide the following information:
        • Request type: Change request
        • Category: Security
        • Subcategory: Other
        • Description: Provide the relevant device names or user names.
        | + +For DSRs from other products related to the service, see the following articles: + +- [Windows diagnostic data](/compliance/regulatory/gdpr-dsr-windows) +- [Microsoft Intune data](/compliance/regulatory/gdpr-dsr-intune) +- [Azure Active Directory data](/compliance/regulatory/gdpr-dsr-azure) + +## Legal + +The following is Microsoft's privacy notice to end users of products provided by organizational customers. + +The [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) notifies end users that when they sign into Microsoft products with a work account: + +1. Their organization can control and administer their account (including controlling privacy-related settings), and access and process their data. +2. Microsoft may collect and process the data to provide the service to the organization and end users. diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index f0e2079b1c..b942f83a14 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -396,7 +396,7 @@ For the purposes of this demo, select **All** under the **MDM user scope** and s ## Register your VM -Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than MSfB. +Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than Microsoft Store for Business. ### Autopilot registration using Intune @@ -430,7 +430,7 @@ Optional: see the following video for an overview of the process. > [!video https://www.youtube.com/embed/IpLIZU_j7Z0] -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. +First, you need a Microsoft Store for Business account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one. Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page. @@ -445,16 +445,16 @@ Select the **Add devices** link to upload your CSV file. A message appears that ## Create and assign a Windows Autopilot deployment profile > [!IMPORTANT] -> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only *pick one for the purposes of this lab*: +> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or Microsoft Store for Business. Both processes are shown here, but only *pick one for the purposes of this lab*: Pick one: - [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +- [Create profiles using Microsoft Store for Business](#create-a-windows-autopilot-deployment-profile-using-msfb) ### Create a Windows Autopilot deployment profile using Intune > [!NOTE] -> Even if you registered your device in MSfB, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list. +> Even if you registered your device in Microsoft Store for Business, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list. ![Devices.](images/enroll4.png) @@ -533,13 +533,13 @@ Select **OK**, and then select **Create**. If you already created and assigned a profile via Intune with the steps immediately above, then skip this section. -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. +A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in Microsoft Store for Business. These steps are also summarized below. First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. Select **Manage** from the top menu, then select **Devices** from the left navigation tree. -![MSfB manage.](images/msfb-manage.png) +![Microsoft Store for Business manage.](images/msfb-manage.png) Select the **Windows Autopilot Deployment Program** link in the **Devices** tile. @@ -548,17 +548,17 @@ To CREATE the profile: Select your device from the **Devices** list: > [!div class="mx-imgBorder"] -> ![MSfB create step 1.](images/msfb-create1.png) +> ![Microsoft Store for Business create step 1.](images/msfb-create1.png) On the Autopilot deployment dropdown menu, select **Create new profile**: > [!div class="mx-imgBorder"] -> ![MSfB create step 2.](images/msfb-create2.png) +> ![Microsoft Store for Business create step 2.](images/msfb-create2.png) Name the profile, choose your desired settings, and then select **Create**: > [!div class="mx-imgBorder"] -> ![MSfB create step 3.](images/msfb-create3.png) +> ![Microsoft Store for Business create step 3.](images/msfb-create3.png) The new profile is added to the Autopilot deployment list. @@ -567,12 +567,12 @@ To ASSIGN the profile: To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab. Then, select the profile you want to assign from the **Autopilot deployment** dropdown menu, as shown: > [!div class="mx-imgBorder"] -> ![MSfB assign step 1.](images/msfb-assign1.png) +> ![Microsoft Store for Business assign step 1.](images/msfb-assign1.png) To confirm the profile was successfully assigned to the intended device, check the contents of the **Profile** column: > [!div class="mx-imgBorder"] -> ![MSfB assign step 2.](images/msfb-assign2.png) +> ![Microsoft Store for Business assign step 2.](images/msfb-assign2.png) > [!IMPORTANT] > The new profile is only applied if the device hasn't started and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. @@ -609,7 +609,7 @@ Windows Autopilot takes over to automatically join your device into Azure AD and ## Remove devices from Autopilot -To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below. +To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or Microsoft Store for Business, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below. ### Delete (deregister) Autopilot device diff --git a/windows/docfx.json b/windows/docfx.json deleted file mode 100644 index 81d24652df..0000000000 --- a/windows/docfx.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "build": { - "content": - [ - { - "files": ["**/**.md", "**/**.yml"], - "exclude": ["**/obj/**"] - } - ], - "resource": [ - { - "files": ["**/images/**", "**/*.pdf", "**/*.bmp"], - "exclude": ["**/obj/**"] - } - ], - "globalMetadata": { - "recommendations": true, - "ROBOTS": "INDEX, FOLLOW", - "audience": "ITPro", - "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", - "uhfHeaderId": "MSDocsHeader-M365-IT", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "Win.windows" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "Kellylorenebaker", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "externalReference": [ - ], - "template": "op.html", - "dest": "windows", - "markdownEngineName": "dfm" - } -} diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 278064b469..3ef3314bf4 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -133,6 +133,9 @@ conceptualContent: - url: /windows/deployment/update/prepare-deploy-windows itemType: deploy text: Prepare to deploy Windows client + - url: /windows/deployment/windows-autopatch + itemType: deploy + text: Windows Autopatch # Card - title: App management diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index fe5f9e9510..c6ded941c3 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -1584,9 +1584,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4281,7 +4281,7 @@ The following fields are available: - **DeviceModel** What is the device model. - **DeviceOEM** What OEM does this device belong to. - **DownloadPriority** The priority of the download activity. -- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events. +- **DownloadScenarioId** A unique ID for a given download used to tie together Windows Update and DO events. - **DriverPingBack** Contains information about the previous driver and system state. - **Edition** Indicates the edition of Windows being used. - **EventInstanceID** A globally unique identifier for event instance. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index f20bf940f2..8df5ccd434 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -1681,9 +1681,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update(WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index fc82f5a509..14bed98da4 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -1829,9 +1829,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -6126,7 +6126,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -8188,7 +8188,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8210,7 +8210,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index e660f2df49..406fa55f82 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -2574,9 +2574,9 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4236,7 +4236,7 @@ The following fields are available: - **FlightId** The ID of the Windows Insider build the device received. - **InstallDate** The date the driver was installed. - **InstallFlags** The driver installation flags. -- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **OptionalData** Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.) - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. @@ -7554,7 +7554,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -9816,7 +9816,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique GUID that identifies each instances of setuphost.exe. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -9838,7 +9838,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -9861,7 +9861,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 2dd8d27ae5..fc4d236e62 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -2775,10 +2775,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -4337,7 +4337,7 @@ The following fields are available: - **FlightId** The ID of the Windows Insider build the device received. - **InstallDate** The date the driver was installed. - **InstallFlags** The driver installation flags. -- **OptionalData** Metadata specific to WU (Windows Update) associated with the driver (flight IDs, recovery IDs, etc.) +- **OptionalData** Metadata specific to Windows Update (WU) associated with the driver (flight IDs, recovery IDs, etc.) - **RebootRequired** Indicates whether a reboot is required after the installation. - **RollbackPossible** Indicates whether this driver can be rolled back. - **WuTargetedHardwareId** Indicates that the driver was installed because the device hardware ID was targeted by the Windows Update. @@ -7722,7 +7722,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -9395,7 +9395,7 @@ The following fields are available: - **updaterCmdLine** The command line requested by the updater. - **updaterId** The ID of the updater that requested the work. -- **wuDeviceid** WU device ID. +- **wuDeviceid** Windows Update device ID. ### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem @@ -9840,7 +9840,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -9862,7 +9862,7 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **EditionIdUpdated** Determine whether EditionId was changed. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. @@ -9885,7 +9885,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index c867fe681a..ee2bf8af2f 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -119,7 +119,7 @@ Collects Office metadata through UTC to compare with equivalent data collected t Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). - **build:** App version -- **channel:** Is this part of SAC or SAC-T? +- **channel:** Is this part of GA Channel or SAC-T? - **errorCode:** What error occurred during the upgrade process? - **errorMessage:** what was the error message during the upgrade process? - **status:** Was the upgrade successful or not? @@ -355,14 +355,14 @@ The following fields are available: Initialization of Explorer is complete. ## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning -For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption. +For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption. The following fields are available: - **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules. - **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app. - **appname:** App that triggered the event -- **status:** Indicates whether errors occurred during WIP learning events +- **status:** Indicates whether errors occurred during Windows Information Protection learning events ## Win32kTraceLogging.AppInteractivitySummary Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index f12658e2d0..b4ba7be281 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -84,7 +84,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [ 1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1** 1. **Mail synchronization** - 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)** + 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)** 1. **Microsoft Account** 1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)** diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md index 084f8f8a9e..49191ee0d4 100644 --- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md +++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md @@ -2292,10 +2292,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). @@ -6022,7 +6022,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window The following fields are available: - **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. -- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **HostOSBuildNumber** The build number of the previous operating system. - **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). - **InstanceId** Unique GUID that identifies each instance of setuphost.exe. @@ -6789,7 +6789,7 @@ The following fields are available: - **freeDiskSpaceInMB** Amount of free disk space. - **interactive** Informs if this action is caused due to user interaction. - **priority** The CPU and IO priority this action is being performed on. -- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.). +- **provider** The provider that is being invoked to perform this action (Windows Update , Legacy UO Provider etc.). - **update** Update related metadata including UpdateId. - **uptimeMinutes** Duration USO for up for in the current boot session. - **wilActivity** Wil Activity related information. @@ -6988,7 +6988,7 @@ The following fields are available: - **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. - **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). - **DeferredUpdates** UpdateIds which are currently being deferred until a later time. -- **DriverExclusionPolicy** Indicates if policy for not including drivers with WU updates is enabled. +- **DriverExclusionPolicy** Indicates if policy for not including drivers with Windows Update (WU) updates is enabled. - **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan. - **EventInstanceID** A globally unique identifier for event instance. - **ExcludedUpdateClasses** Update classifications being excluded via policy. @@ -8139,7 +8139,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **InstanceId** Unique GUID that identifies each instances of setuphost.exe. - **MitigationScenario** The update scenario in which the mitigation was executed. @@ -8161,7 +8161,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O The following fields are available: -- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. - **FlightId** Unique identifier for each flight. - **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry. - **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b37678708d..d075c45196 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -2305,10 +2305,10 @@ The following fields are available: - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. - **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. -- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network. - **WULCUVersion** Version of the LCU Installed on the machine. - **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. -- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused. - **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 7d7f56a09d..2871ffa4fd 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -192,19 +192,19 @@ - name: Overview href: threat-protection/index.md - name: Microsoft Defender Antivirus - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - name: Attack surface reduction rules - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + href: /microsoft-365/security/defender-endpoint/attack-surface-reduction - name: Tamper protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - name: Network protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + href: /microsoft-365/security/defender-endpoint/network-protection - name: Controlled folder access - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + href: /microsoft-365/security/defender-endpoint/controlled-folders - name: Exploit protection - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender for Endpoint - href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + href: /microsoft-365/security/defender-endpoint - name: More Windows security items: - name: Override Process Mitigation Options to help enforce app-related security policies @@ -394,7 +394,7 @@ - name: Overview href: cloud.md - name: Mobile device management - href: https://docs.microsoft.com/windows/client-management/mdm/ + href: /windows/client-management/mdm/ - name: Windows 365 Cloud PCs href: /windows-365/overview - name: Azure Virtual Desktop diff --git a/windows/security/apps.md b/windows/security/apps.md index e376d06d98..a2cd365e1b 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -4,9 +4,6 @@ description: Get an overview of application security in Windows 10 and Windows 1 ms.reviewer: manager: dansimp ms.author: dansimp -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/cloud.md b/windows/security/cloud.md index 7bccc2aa84..980e361561 100644 --- a/windows/security/cloud.md +++ b/windows/security/cloud.md @@ -5,15 +5,10 @@ ms.reviewer: author: denisebmsft ms.author: deniseb manager: dansimp -audience: ITPro ms.topic: conceptual ms.date: 09/20/2021 ms.localizationpriority: medium ms.custom: -f1.keywords: NOCSH -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security search.appverid: MET150 ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index 7c781c1bdf..c4062d7e7c 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -5,7 +5,6 @@ search.appverid: MET150 author: denisebmsft ms.author: deniseb manager: dansimp -audience: ITPro ms.topic: conceptual ms.date: 09/07/2021 ms.prod: m365-security @@ -14,7 +13,6 @@ ms.localizationpriority: medium ms.collection: ms.custom: ms.reviewer: skhadeer, raverma -f1.keywords: NOCSH --- # Cryptography and Certificate Management diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md index 359afde71f..782617bafe 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/encryption-data-protection.md @@ -5,7 +5,6 @@ search.appverid: MET150 author: denisebmsft ms.author: deniseb manager: dansimp -audience: ITPro ms.topic: conceptual ms.date: 09/08/2021 ms.prod: m365-security @@ -13,8 +12,7 @@ ms.technology: windows-sec ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: deepakm, rafals -f1.keywords: NOCSH +ms.reviewer: deepakm, rafals --- # Encryption and data protection in Windows client diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 435dd886c2..ffeb576881 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -4,9 +4,6 @@ description: Get an overview of hardware security in Windows 11 and Windows 10 ms.reviewer: manager: dansimp ms.author: dansimp -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 66754be796..db7379ba1f 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server | Attribute | Value | | :--: | :--: | -| Well-Known SID/RID | | -|Object Class| | +| Well-Known SID/RID | S-1-5-90 | +|Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
        [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
        | diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 3599199593..7d71cc00ce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -59,6 +59,10 @@ The following known issues have been fixed by servicing releases made available ## Known issues involving third-party applications +The following issue affects MSCHAPv2: + +- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). + The following issue affects the Java GSS API. See the following Oracle bug database article: - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f5c9ad4cbf..b63bf80703 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -26,46 +26,46 @@ ms.custom: - Windows 11 - Windows Server 2016 - Windows Server 2019 - +- Windows Server 2022 ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. -The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. ### Enable Windows Defender Credential Guard by using Group Policy You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed. -1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. +1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. -2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. +1. Select **Turn On Virtualization Based Security**, and then select the **Enabled** option. -3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. +1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. -4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. +1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. -5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details. +1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). - ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png) + :::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting."::: -6. Close the Group Policy Management Console. +1. Select **OK**, and then close the Group Policy Management Console. -To enforce processing of the group policy, you can run ```gpupdate /force```. +To enforce processing of the group policy, you can run `gpupdate /force`. ### Enable Windows Defender Credential Guard by using Intune -1. From **Home**, click **Microsoft Intune**. +1. From **Home**, select **Microsoft Intune**. -2. Click **Device configuration**. +1. Select **Device configuration**. -3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. +1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. - > [!NOTE] - > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. + > [!NOTE] + > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry @@ -81,72 +81,68 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. - -**Add the virtualization-based security features by using Programs and Features** +##### Add the virtualization-based security features by using Programs and Features -1. Open the Programs and Features control panel. +1. Open the Programs and Features control panel. -2. Click **Turn Windows feature on or off**. +1. Select **Turn Windows feature on or off**. -3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. +1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Select the **Isolated User Mode** check box at the top level of the feature selection. +1. Select the **Isolated User Mode** check box at the top level of the feature selection. -5. Click **OK**. +1. Select **OK**. -**Add the virtualization-based security features to an offline image by using DISM** +##### Add the virtualization-based security features to an offline image by using DISM -1. Open an elevated command prompt. +1. Open an elevated command prompt. -2. Add the Hyper-V Hypervisor by running the following command: +1. Add the Hyper-V Hypervisor by running the following command: - ```console - dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all - ``` - -3. Add the Isolated User Mode feature by running the following command: + ```cmd + dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all + ``` - ```console - dism /image: /Enable-Feature /FeatureName:IsolatedUserMode - ``` - - > [!NOTE] - > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. +1. Add the Isolated User Mode feature by running the following command: + + ```cmd + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` + + > [!NOTE] + > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!TIP] > You can also add these features to an online image by using either DISM or Configuration Manager. #### Enable virtualization-based security and Windows Defender Credential Guard -1. Open Registry Editor. +1. Open Registry Editor. -2. Enable virtualization-based security: +1. Enable virtualization-based security: - 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. + 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`. -3. Enable Windows Defender Credential Guard: + 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. + 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. -4. Close Registry Editor. +1. Enable Windows Defender Credential Guard: + 1. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`. + + 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. + +1. Close Registry Editor. > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. - - ### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -```console +```cmd DG_Readiness_Tool.ps1 -Enable -AutoReboot ``` @@ -157,24 +153,21 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot ### Review Windows Defender Credential Guard performance -**Is Windows Defender Credential Guard running?** +#### Is Windows Defender Credential Guard running? You can view System Information to check that Windows Defender Credential Guard is running on a PC. -1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. +1. Select **Start**, type **msinfo32.exe**, and then select **System Information**. -2. Click **System Summary**. +1. Select **System Summary**. -3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. +1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**. - Here's an example: - - > [!div class="mx-imgBorder"] - > ![System Information.](images/credguard-msinfo32.png) + :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -```console +```cmd DG_Readiness_Tool_v3.6.ps1 -Ready ``` @@ -186,65 +179,65 @@ DG_Readiness_Tool_v3.6.ps1 -Ready > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. -- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: +- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - - - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** - - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. - - - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - - - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. - - - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - - - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - - You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. - - - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: - - ```powershell - (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - ``` + - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - This command generates the following output: - - - **0**: Windows Defender Credential Guard is disabled (not running) - - - **1**: Windows Defender Credential Guard is enabled (running) - - > [!NOTE] - > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. + - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** + + - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. + + - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. + + - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] + + - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + +- You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs > Microsoft > Windows > Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. + +- You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: + + ```powershell + (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning + ``` + + This command generates the following output: + + - **0**: Windows Defender Credential Guard is disabled (not running) + + - **1**: Windows Defender Credential Guard is enabled (running) + + > [!NOTE] + > Checking the task list or Task Manager to see if LSAISO.exe is running is not a recommended method for determining whether Windows Defender Credential Guard is running. ## Disable Windows Defender Credential Guard -To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy. +To disable Windows Defender Credential Guard, you can use the following set of procedures or the [HVCI and Windows Defender Credential Guard hardware readiness tool](#disable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy. -1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). +1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**). -2. Delete the following registry settings: +1. Delete the following registry settings: - - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags + - `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags` -3. If you also wish to disable virtualization-based security delete the following registry settings: + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags` + +1. If you also wish to disable virtualization-based security delete the following registry settings: + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity` + + - `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures` - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity - - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures - > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: +1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: - ```console + ```cmd mountvol X: /s copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader @@ -255,28 +248,26 @@ To disable Windows Defender Credential Guard, you can use the following set of p mountvol X: /d ``` -5. Restart the PC. +1. Restart the PC. -6. Accept the prompt to disable Windows Defender Credential Guard. +1. Accept the prompt to disable Windows Defender Credential Guard. -7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. +1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard. > [!NOTE] > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: > - >```console - >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS - >bcdedit /set vsmlaunchtype off - >``` + > ```cmd + > bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS + > bcdedit /set vsmlaunchtype off + > ``` For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](../../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). > [!NOTE] > Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. - - -#### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool +### Disable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). @@ -289,7 +280,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot > > This is a known issue. -#### Disable Windows Defender Credential Guard for a virtual machine +### Disable Windows Defender Credential Guard for a virtual machine From the host, you can disable Windows Defender Credential Guard for a virtual machine: diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png deleted file mode 100644 index ead9410405..0000000000 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png and /dev/null differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp.png b/windows/security/identity-protection/credential-guard/images/credguard-gp.png index 827121f0fc..ad34b6deb3 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-gp.png and b/windows/security/identity-protection/credential-guard/images/credguard-gp.png differ diff --git a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png index 46f838c8d2..c9737e3236 100644 Binary files a/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png and b/windows/security/identity-protection/credential-guard/images/credguard-msinfo32.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index fae8060193..cbaecf9da3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -48,7 +48,7 @@ The Windows Server 2016 or later domain controller is handling 100 percent of al ![dc-chart3.](images/plan/dc-chart3.png) -Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same. +Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of Windows Hello for Business clients remains the same. ![dc-chart4.](images/plan/dc-chart4.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 72148e773a..4753b3c6f4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -84,8 +84,9 @@ For errors listed in this table, contact Microsoft Support for assistance. | Hex | Cause | |-------------|---------| -| 0X80072F0C | Unknown | | 0x80070057 | Invalid parameter or argument is passed. | +| 0X80072F0C | Unknown | +| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.| | 0x80090010 | NTE_PERM | | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | @@ -105,7 +106,6 @@ For errors listed in this table, contact Microsoft Support for assistance. | ​0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. | - ## Related topics - [Windows Hello for Business](hello-identity-verification.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 3843fecaa8..b964f460e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -44,6 +44,9 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +> [!NOTE] +> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users. + ### Section Review > [!div class="checklist"] @@ -63,4 +66,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 187d42ad0f..b67d63f1b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -125,7 +125,7 @@ Before you continue with the deployment, validate your deployment progress by re ## Add users to the Windows Hello for Business Users group -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. +Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. ## Follow the Windows Hello for Business on premises certificate trust deployment guide diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png b/windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/aduc-account-scril.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/exclude-credential-providers-properties.png diff --git a/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png b/windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/four-steps-passwordless-strategy.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-exclude-credential-providers.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-require-smart-card-policy.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png b/windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/gpmc-security-options.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png b/windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/require-whfb-smart-card-policy.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png b/windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/server-2012-adac-user-scril.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-domain-scril.png diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png similarity index 100% rename from windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png rename to windows/security/identity-protection/hello-for-business/images/passwordless/server-2016-adac-user-scril.png diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f54986956f..8ca6538d48 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,136 +1,150 @@ --- -title: Passwordless Strategy +title: Password-less strategy description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. -keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro author: GitPrakhar13 ms.author: prsriva manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/20/2018 ms.reviewer: +ms.collection: M365-identity-device-management +ms.topic: conceptual +localizationpriority: medium +ms.date: 05/24/2022 --- -# Passwordless Strategy + +# Password-less strategy + +This article describes Windows' password-less strategy. Learn how Windows Hello for Business implements this strategy in Windows 10 and Windows 11. ## Four steps to password freedom -Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. -![Passwordless approach.](images/four-steps-passwordless.png) +Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. +:::image type="content" source="images/passwordless/four-steps-passwordless-strategy.png" alt-text="Diagram of stair-step strategy with four steps."::: ### 1. Develop a password replacement offering + Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards a password-less environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. -### 3. Transition into a passwordless deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: -- the users never type their password -- the users never change their password -- the users do not know their password +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password anytime a password prompt shows on their computer. This behavior is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. + +### 3. Transition into a password-less deployment + +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: + +- The users never type their password. +- The users never change their password. +- The users don't know their password. In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. + +The final step of the password-less story is where passwords simply don't exist. At this step, identity directories no longer persist any form of the password. This stage is where Microsoft achieves the long-term security promise of a truly password-less environment. ## Methodology -Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. -### Prepare for the Journey -The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. +Four steps to password freedom provide an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a password-less environment, but can easily become overwhelmed by any of the steps. You aren't alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here's one recommendation based on several years of research, investigation, and customer conversations. + +### Prepare for the journey + +The road to being password-less is a journey. The duration of that journey varies for each organization. It's important for IT decision-makers to understand the criteria influencing the length of that journey. + +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the following components: -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the: - Number of departments - Organization or department hierarchy - Number and type of applications and services - Number of work personas - - Organization's IT structure #### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and others such as research and development or support. Small organizations may not explicitly segment their departments, while larger ones may. Additionally, there may be subdepartments, and subdepartments of those subdepartments as well. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. +You need to know all the departments within your organization and you need to know which departments use computers and which ones don't. It's fine if a department doesn't use computers (probably rare, but acceptable). This circumstance means there's one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you've assessed that it's not applicable. + +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This realization is why you need to inventory all of them. Also, don't forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. + +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they're used, most likely differs between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. +Most organizations have many applications and rarely do they have one centralized list that's accurate. Applications and services are the most critical items in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. Changing policies and procedures can be a daunting task. Consider the trade-off between updating your standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. + +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, don't forget web-based applications or services when inventorying applications. #### Number of work personas -Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. +Work personas are where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this information, you want to create a work persona. + +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There's a high probability that you'll have many work personas. These work personas will become units of work, and you'll refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software. +Ultimately, create a naming convention that doesn't require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you're talking about a person who is in that department and who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. -#### Assess your Organization -You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what? +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there's a password-less stakeholder on each of these teams, and that the effort is understood and funded. -By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +#### Assess your organization -How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will: -- work through the work personas -- organize and deploy user acceptance testing -- evaluate user acceptance testing results for user-visible password surfaces -- work with stakeholders to create solutions that mitigate user-visible password surfaces -- add the solution to the project backlog and prioritize against other projects -- deploy the solution -- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface -- repeat the testing as needed +You have a ton of information. You've created your work personas, you've identified your stakeholders throughout the different IT groups. Now what? -Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. +By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you've identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's only a matter of moving users to it. Resolution to some passwords surfaces may exist, but aren't deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That project is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely affect productivity. + +How long does it take to become password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that a password-less environment is the organization's goal makes conversations much easier. Easier conversations mean less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they've agreed on the strategy). Those resources will: + +- Work through the work personas. +- Organize and deploy user acceptance testing. +- Evaluate user acceptance testing results for user visible password surfaces. +- Work with stakeholders to create solutions that mitigate user visible password surfaces. +- Add the solution to the project backlog and prioritize against other projects. +- Deploy the solution. +- Perform user acceptance testing to confirm that the solution mitigates the user visible password surface. +- Repeat the testing as needed. + +Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it's likely that to go password-less tomorrow is *n x 2* or more, *n x n*. Don't let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you'll see parts of your organization transition to a password-less state. ### Where to start? -What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. + +What's the best guidance for kicking off the journey to password freedom? You'll want to show your management a proof of concept as soon as possible. Ideally, you want to show it at each step of your password-less journey. Keeping your password-less strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom. + +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. It's the targeted work persona you'll enable so that you can climb the steps to password freedom. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This method is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your password-less journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These roles are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona. +Most organizations host their proof of concept in a test lab or environment. If you do that test with a password-free strategy, it may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This process could take a few days or several weeks, depending on the complexity of the targeted work persona. -You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. +You'll want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. -## The Process +## The process The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: -1. Passwordless replacement offering (Step 1) +1. Password-less replacement offering (step 1) 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. 3. Validate that passwords and Windows Hello for Business work. -2. Reduce User-visible Password Surface (Step 2) +2. Reduce user-visible password surface (step 2) 1. Survey test user workflow for password usage. 2. Identify password usage and plan, develop, and deploy password mitigations. 3. Repeat until all user password usage is mitigated. 4. Remove password capabilities from Windows. 5. Validate that **none of the workflows** need passwords. -3. Transition into a passwordless scenario (Step 3) +3. Transition into a password-less scenario (step 3) 1. Awareness campaign and user education. 2. Include remaining users who fit the work persona. 3. Validate that **none of the users** of the work personas need passwords. @@ -138,159 +152,198 @@ The journey to password freedom is to take each work persona through each step o After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. -### Passwordless replacement offering (Step 1) +### Password-less replacement offering (step 1) + The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. + +A successful transition relies on user acceptance testing. It's impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +Next, you'll want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming password-less. Use the [Windows Hello for Business planning guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. + +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you'll only need to deploy the infrastructure once. When other targeted work personas need to start using Windows Hello for Business, add them to a group. You'll use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] > There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. #### Validate that passwords and Windows Hello for Business work + In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. -### Reduce User-visible Password Surface (Step 2) -Before you move to step 2, ensure you have: -- selected your targeted work persona. -- identified your test users who represent the targeted work persona. -- deployed Windows Hello for Business to test users. -- validated passwords and Windows Hello for Business both work for the test users. +### Reduce user-visible password surface (step 2) + +Before you move to step 2, make sure you've: + +- Selected your targeted work persona. +- Identified your test users who represent the targeted work persona. +- Deployed Windows Hello for Business to test users. +- Validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: -- What is the name of the application that asked for a password?. -- Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). -- What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). -- How frequently do you use this application in a given day? week? +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you don't know what, why, when, and how frequently. This information is important as you further your progress through step 2. + +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list isn't a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: + +- What's the name of the application that asked for a password? +- Why do they use the application that asked for a password? For example, is there more than one application that can do the same thing? +- What part of their workflow makes them use the application? Try to be as specific as possible. For example, "I use application x to issue credit card refunds for amounts over y." +- How frequently do you use this application in a given day or week? - Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being password-less. #### Identify password usage and plan, develop, and deploy password mitigations -Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Your test users have provided you valuable information that describes how, what, why, and when they use a password. It's now time for your team to identify each of these password use cases and understand why the user must use a password. + +Create a list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it's policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. + +Keep in mind your test users won't uncover all scenarios. Some scenarios you'll need to force on your users because they're low percentage scenarios. Remember to include the following scenarios: -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions, whichever of the two is easier or quicker. This choice will certainly vary by organization. Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one of the more challenging obstacles in the password-less journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. -Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. +Each scenario on your list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. + +Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This stage is where you rely on your test users. You want to keep a good portion of your first test users, but this point is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you've closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you're stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you're out of options, contact Microsoft for assistance. #### Remove password capabilities from Windows -You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password. + +You believe you've mitigated all the password usage for the targeted work persona. Now comes the true test: configure Windows so the user can't use a password. Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. -##### Security Policy +##### Security policy + You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. -![securityPolicyLocation.](images/passwordless/00-securityPolicy.png) + +:::image type="content" source="images/passwordless/gpmc-security-options.png" alt-text="The Group Policy Management Editor displaying the location of the Security Options node."::: **Windows Server 2016 and earlier** The policy name for these operating systems is **Interactive logon: Require smart card**. -![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png) + +:::image type="content" source="images/passwordless/gpmc-require-smart-card-policy.png" alt-text="The Group Policy Management Editor displaying the location of the policy 'Interactive logon: Require smart card'."::: **Windows 10, version 1703 or later using Remote Server Administrator Tools** The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. -![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png) + +:::image type="content" source="images/passwordless/require-whfb-smart-card-policy.png" alt-text="Highlighting the security policy 'Interactive logon: Require Windows Hello for Business or smart card'."::: When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon** -![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png) -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. -![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png) +You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**: -Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. +:::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'."::: + +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`. + +:::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'."::: + +Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This configuration prevents the user from entering a password using the credential provider. However, this change doesn't prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. #### Validate that none of the workflows needs passwords -This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a passwordless deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. +This stage is the significant moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users won't be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Don't forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or can't use their strong credential. Ensure those scenarios are validated as well. + +### Transition into a password-less deployment (step 3) + +Congratulations! You're ready to transition one or more portions of your organization to a password-less deployment. You've validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You're just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign. + +In this last step, you're going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this step, you want to invest in an awareness campaign. An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment. + +You've implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being password-less. Add the remaining users that match the targeted work persona to your deployment. #### Validate that none of the users of the work personas needs passwords -You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment. -Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: +You've successfully transitioned all users for the targeted work persona to being password-less. Monitor the users within the work persona to ensure they don't encounter any issues while working in a password-less environment. + +Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, consider the following questions: + - Is the reporting user performing a task outside the work persona? - Is the reported issue affecting the entire work persona, or only specific users? - Is the outage a result of a misconfiguration? -- Is the outage a overlooked gap from step 2? +- Is the outage an overlooked gap from step 2? Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this outcome isn't the end goal, but don't let it slow down your momentum towards becoming password-less. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. -#### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +#### Configure user accounts to disallow password authentication + +You transitioned all the users for the targeted work persona to a password-less environment and you've successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. -The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL). +The account options on a user account include the option **Smart card is required for interactive logon**, also known as SCRIL. > [!NOTE] > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. -![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png) -**SCRIL setting for a user on Active Directory Users and Computers.** +The following image shows the SCRIL setting for a user in Active Directory Users and Computers: -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: -- the do not know their password. -- their password is 128 random bits of data and is likely to include non-typable characters. -- the user is not asked to change their password -- domain controllers do not allow passwords for interactive authentication +:::image type="content" source="images/passwordless/aduc-account-scril.png" alt-text="Example user properties in Active Directory that shows the SCRIL setting on Account options."::: -![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png) -**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account don't allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level don't expire. The users are effectively password-less because: + +- They don't know their password. +- Their password is 128 random bits of data and is likely to include non-typable characters. +- The user isn't asked to change their password. +- Domain controllers don't allow passwords for interactive authentication. + +The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012: + +:::image type="content" source="images/passwordless/server-2012-adac-user-scril.png" alt-text="Example user properties in Windows Server 2012 Active Directory Administrative Center that shows the SCRIL setting."::: > [!NOTE] -> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. +> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account to generate a new random 128 bit password. Use the following process to toggle this configuration: +> +> 1. Disable the setting. +> 1. Save changes. +> 1. Enable the setting. +> 1. Save changes again. +> +> When you upgrade the domain to Windows Server 2016 domain forest functional level or later, the domain controller automatically does this action for you. -![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png) -**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** +The following image shows the SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016: -> [!NOTE] +:::image type="content" source="images/passwordless/server-2016-adac-user-scril.png" alt-text="Example user properties in Windows Server 2016 Active Directory Administrative Center that shows the SCRIL setting."::: + +> [!TIP] > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. -![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png) +Domains configured for Windows Server 2016 or later domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. + +In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128-bit password for the user as part of the authentication. This feature is great because your users don't experience any change password notifications or any authentication outages. + +:::image type="content" source="images/passwordless/server-2016-adac-domain-scril.png" alt-text="The Active Directory Administrative Center on Windows Server 2016 showing the domain setting for SCRIL."::: > [!NOTE] > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. -## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +## The road ahead +The information presented here is just the beginning. We'll update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a password-less future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). diff --git a/windows/security/identity.md b/windows/security/identity.md index bf6a97473a..797f089f86 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -4,9 +4,6 @@ description: Get an overview of identity security in Windows 11 and Windows 10 ms.reviewer: manager: dansimp ms.author: dansimp -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md index 0a0b518012..fea16b36fc 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -22,62 +22,59 @@ ms.custom: bitlocker **Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker. When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered. ## BitLocker and BCD Settings -In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery. +In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode. -In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile. +In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences. +If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage. ### When secure boot is enabled -Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. +Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored. -One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system. +One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system. ## Customizing BCD validation settings -To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting. +To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting. -For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include: +For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog: - winload - winresume - memtest -- all +- all of the above All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.” -The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event. +The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event. You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”. -Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy. +Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy. -When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax: +When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax: - Prefix the setting with the boot application prefix - Append a colon ‘:’ - Append either the hex value or the friendly name - If entering more than one BCD setting, you will need to enter each BCD setting on a new line -For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value. +For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value. -Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. +A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields. > [!NOTE] > Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.   ### Default BCD validation profile -The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems: +The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions: | Hex Value | Prefix | Friendly Name | | - | - | - | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 1e29149153..6bb70b5515 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -49,6 +49,7 @@ BitLocker encryption can be done using the following methods: ### Encrypting volumes using the BitLocker control panel Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet. + To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume). ### Operating system volume @@ -69,8 +70,6 @@ Once a strong password has been created for the volume, a recovery key will be g You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies. -When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options: - - Encrypt used disk space only - Encrypts only disk space that contains data - Encrypt entire drive - Encrypts the entire volume including free space @@ -81,7 +80,8 @@ It's recommended that drives with little to no data use the **used disk space on Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. -After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. + +After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker. @@ -93,16 +93,15 @@ Unlike for operating system volumes, data volumes aren't required to pass any co After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes. With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected. -With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption. +With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption. Encryption status displays in the notification area or within the BitLocker control panel. ### OneDrive option -There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. +There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain. -Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, -they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. +Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name. ### Using BitLocker within Windows Explorer @@ -110,7 +109,7 @@ Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by ## Down-level compatibility -The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows. +The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows. Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes @@ -131,7 +130,7 @@ Command-line users need to determine the appropriate syntax for a given situatio ### Operating system volume -Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. +Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key. **Determining volume status** @@ -143,7 +142,7 @@ This command returns the volumes on the target, current encryption status, and v **Enabling BitLocker without a TPM** -For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process. +For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you'll need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You'll need to reboot the computer when prompted to complete the encryption process. ```powershell manage-bde –protectors -add C: -startupkey E: @@ -156,21 +155,21 @@ It's possible to encrypt the operating system volume without any defined protect `manage-bde -on C:` -This command will encrypt the drive using the TPM as the protector. If a user is unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information with the command: +This will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the -protectors option in manage-bde to list this information by executing the following command: `manage-bde -protectors -get ` **Provisioning BitLocker with two protectors** -Another example is a user on non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Use this command: +Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. This is done with the command: `manage-bde -protectors -add C: -pw -sid ` -This command will require the user to enter and then confirm the password protector before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker. +This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn BitLocker on. ### Data volume -Data volumes use the same syntax for encryption as operating system volumes but they do not require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume. +Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command: `manage-bde -on ` or users can choose to add protectors to the volume. We recommend that you add at least one primary protector and a recovery protector to a data volume. **Enabling BitLocker with a password** @@ -200,11 +199,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us |**Suspend-BitLocker**|
      • Confirm
      • MountPoint
      • RebootCount
      • WhatIf| |**Unlock-BitLocker**|
      • AdAccountOrGroup
      • Confirm
      • MountPoint
      • Password
      • RecoveryKeyPath
      • RecoveryPassword
      • RecoveryPassword
      • WhatIf| -Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets. +Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets. A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information. -Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. +Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you don't see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors. > [!NOTE] > In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID. @@ -212,9 +211,8 @@ Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** ```powershell Get-BitLockerVolume C: | fl ``` - -If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this task requires the GUID associated with the protector to be removed. -A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: +If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. +A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below: ```powershell $vol = Get-BitLockerVolume @@ -227,9 +225,8 @@ Using this information, we can then remove the key protector for a specific volu ```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` - > [!NOTE] -> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. +> The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command. ### Operating system volume @@ -249,7 +246,8 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes ### Data volume -Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. +Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins. + ```powershell $pw = Read-Host -AsSecureString @@ -275,7 +273,6 @@ For users who wish to use the SID for the account or group, the first step is to ```powershell Get-ADUser -filter {samaccountname -eq "administrator"} ``` - > [!NOTE] > Use of this command requires the RSAT-AD-PowerShell feature. @@ -287,17 +284,16 @@ In the example below, the user wishes to add a domain SID-based protector to the ```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` - > [!NOTE] -> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. +> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes. ## Checking BitLocker status -To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We will look at each of the available methods in the following section. +To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, manage-bde command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section. ### Checking BitLocker status with the control panel -Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume will display next to the volume description and drive letter. Available status return values with the control panel include: +Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include: | Status | Description | | - | - | @@ -307,6 +303,7 @@ Checking BitLocker status with the control panel is the most common method used | **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected| If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, manage-bde tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status. + Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume. The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process. @@ -329,30 +326,29 @@ manage-bde -status Windows PowerShell commands offer another way to query BitLocker status for volumes. Like manage-bde, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer. -Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: +Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: ```powershell Get-BitLockerVolume -Verbose | fl ``` - -This command will display information about the encryption method, volume type, key protectors, etc. +This command displays information about the encryption method, volume type, key protectors, etc. ### Provisioning BitLocker during operating system deployment -Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation Environment. This task is done with a randomly generated clear key protector applied to the formatted volume and encrypting the volume prior to running the Windows setup process. If the encryption uses the Used Disk Space Only option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. +Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. This is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes. ### Decrypting BitLocker volumes -Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption should not occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We will discuss each method further below. +Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, manage-bde, or Windows PowerShell cmdlets. We'll discuss each method further below. ### Decrypting volumes using the BitLocker control panel applet -BitLocker decryption using the control panel is done using a Wizard. The control panel can be called from Windows Explorer or by opening the directly. After opening the BitLocker control panel, users will select the Turn off BitLocker option to begin the process. -Once selected, the user chooses to continue by clicking the confirmation dialog. With Turn off BitLocker confirmed, the drive decryption process will begin and report status to the control panel. +BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process. +After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel. The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress. -Once decryption is complete, the drive will update its status in the control panel and is available for encryption. +Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption. ### Decrypting volumes using the manage-bde command-line interface @@ -361,8 +357,7 @@ Decrypting volumes using manage-bde is straightforward. Decryption with manage-b ```powershell manage-bde -off C: ``` - -This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: +This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command: ```powershell manage-bde -status C: @@ -378,7 +373,7 @@ Using the Disable-BitLocker command, they can remove all protectors and encrypti Disable-BitLocker ``` -If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: +If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: ```powershell Disable-BitLocker -MountPoint E:,F:,G: diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 0d8ddfd9ee..619291134f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -28,12 +28,12 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks. +Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. -For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. +For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer’s hard disk to a different computer. -BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by: +BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by: - **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed. - **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability. @@ -44,16 +44,16 @@ For more information about how to enable the best overall security configuration ## Protection before startup -Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot. +Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot. ### Trusted Platform Module A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. -BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline. +BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview). -### UEFI and Secure Boot +### UEFI and secure boot Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader. @@ -61,7 +61,7 @@ The UEFI specification defines a firmware execution authentication process calle Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. -An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key. +An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. ### BitLocker and reset attacks @@ -87,19 +87,19 @@ This helps mitigate DMA and memory remanence attacks. On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways: -- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. -- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key. -- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. -- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required. +- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor. +- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key. +- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN. +- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required. -In the following Group Policy example, TPM + PIN is required to unlock an operating system drive: +In the following group policy example, TPM + PIN is required to unlock an operating system drive: ![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png) Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. -On the other hand, Pre-boot authentication prompts can be inconvenient to users. +On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation. @@ -117,14 +117,14 @@ You can use the System Information desktop app (MSINFO32) to check if a device h ![Kernel DMA protection.](images/kernel-dma-protection.png) -If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: +If kernel DMA protection is *not* enabled, follow these steps to protect Thunderbolt™ 3-enabled ports: 1. Require a password for BIOS changes -2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11): - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy - - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.) + - Group Policy: [Disable new DMA devices when this computer is locked](./bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.) For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). @@ -136,7 +136,8 @@ This section covers countermeasures for specific types of attacks. ### Bootkits and rootkits A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. -The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released. +The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released. + This is the default configuration. A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. @@ -148,7 +149,7 @@ Require TPM + PIN for anti-hammering protection. ### DMA attacks -See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic. +See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article. ### Paging file, crash dump, and Hyberfil.sys attacks These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. @@ -156,7 +157,7 @@ It also blocks automatic or manual attempts to move the paging file. ### Memory remanence -Enable Secure Boot and require a password to change BIOS settings. +Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user. ## Attacker countermeasures @@ -165,9 +166,9 @@ The following sections cover mitigations for different types of attackers. ### Attacker without much skill or with limited physical access -Physical access may be limited by a form factor that does not expose buses and memory. +Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard. -This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software. +This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software. Mitigation: - Pre-boot authentication set to TPM only (the default) @@ -195,7 +196,7 @@ Computer Configuration|Administrative Templates|Windows Components|BitLocker Dri This setting is **Not configured** by default. -For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device. +For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device. ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 1339ada24d..359a620b10 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -29,7 +29,7 @@ ms.custom: bitlocker This article explains how BitLocker Device Encryption can help protect data on devices running Windows. For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md). -When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies. +When users travel, their organization’s confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. @@ -67,13 +67,13 @@ BitLocker is capable of encrypting entire hard drives, including both system and With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10. -## BitLocker Device Encryption +## BitLocker device encryption Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11. -Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption. +Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker device encryption pervasive across modern Windows devices. BitLocker device encryption further protects the system by transparently implementing device-wide data encryption. -Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: +Unlike a standard BitLocker implementation, BitLocker device encryption is enabled automatically so that the device is always protected. The following list outlines how this happens: * When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points. * If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials. @@ -85,7 +85,7 @@ Microsoft recommends that BitLocker Device Encryption be enabled on any systems - **Value**: PreventDeviceEncryption equal to True (1) - **Type**: REG\_DWORD -Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. +Administrators can manage domain-joined devices that have BitLocker device encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker device encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required. > [!NOTE] > BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. In case you need to use a different encryption method and/or cipher strength, the device must be configured and decrypted (if already encrypted) first. After that, different BitLocker settings can be applied. @@ -99,18 +99,18 @@ Exercise caution when encrypting only used space on an existing volume on which ## Encrypted hard drive support SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. -Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. +Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use, whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md). ## Preboot information protection -An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. -It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided. +An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. +It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided. Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). ## Manage passwords and PINs -When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files. +When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it virtually impossible for the attacker to access or modify user data and system files. Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly. Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system. @@ -124,12 +124,12 @@ Network Unlock enables BitLocker-protected PCs to start automatically when conne Network Unlock requires the following infrastructure: * Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP) -* A server running at least Windows Server 2012 with the Windows Deployment Services role +* A server running at least Windows Server 2012 with the Windows deployment services role * A server with the DHCP server role installed -For more information about how to configure Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). +For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). -## Microsoft BitLocker Administration and Monitoring +## Microsoft BitLocker administration and monitoring Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features: diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 5bb4f1a886..442bafb9c2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -20,7 +20,7 @@ ms.date: 04/17/2019 ms.custom: bitlocker --- -# BitLocker Group Policy settings +# BitLocker group policy settings **Applies to:** @@ -39,12 +39,12 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive is initially configured to be unlocked with a password and then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. +## BitLocker group policy settings + > [!NOTE] > For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker). -## BitLocker Group Policy settings - -The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. +The following sections provide a comprehensive list of BitLocker group policy settings that are organized by usage. BitLocker group policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked. @@ -103,9 +103,7 @@ The following policies are used to support customized deployment scenarios in yo - [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#bkmk-depopt4) - [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#bkmk-depopt5) -### Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN - -This policy setting allows users on devices that are compliant with Modern Standby or the Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication. +### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN | |   | |:---|:---| @@ -145,7 +143,7 @@ To use a network key protector to unlock the computer, the computer and the serv > [!NOTE] > For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup. -For more information about Network Unlock, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). +For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). ### Require additional authentication at startup @@ -234,8 +232,8 @@ This policy setting is used to set a minimum PIN length when you use an unlock m This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits. -Originally, BitLocker allowed from 4 to 20 characters for a PIN. -Windows Hello has its own PIN for logon, which can be 4 to 127 characters. +Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. +Windows Hello has its own PIN for logon, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. @@ -305,7 +303,7 @@ This policy controls how non-TPM based systems utilize the password protector. U **Reference** -If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled. +If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\**, must be also enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. @@ -316,7 +314,7 @@ Passwords must be at least eight characters. To configure a greater minimum leng When this policy setting is enabled, you can set the option **Configure password complexity for operating system drives** to: - Allow password complexity -- Do not allow password complexity +- Deny password complexity - Require password complexity ### Require additional authentication at startup (Windows Server 2008 and Windows Vista) @@ -335,7 +333,7 @@ This policy setting is used to control what unlock options are available for com **Reference** -On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can require users to insert a USB drive that contains a startup key. It can also require users to enter a 6-digit to 20-digit startup PIN. +On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits. A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive. @@ -449,19 +447,19 @@ This policy setting is used to require, allow, or deny the use of passwords with **Reference** -If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at -**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** must also be enabled. +If you choose to allow the use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at +**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**, must also be enabled. > [!NOTE] > These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive. Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the wanted number of characters in the **Minimum password length** box. -When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. +When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password. -When set to **Allow complexity**, a connection to a domain controller will be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password will still be accepted regardless of actual password complexity and the drive will be encrypted by using that password as a protector. +When set to **Allow complexity**, a connection to a domain controller is be attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector. -When set to **Do not allow complexity**, no password complexity validation will be done. +When set to **Do not allow complexity**, no password complexity validation is done. > [!NOTE] > Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** specifies whether FIPS compliance is enabled. @@ -495,7 +493,7 @@ The default object identifier is 1.3.6.1.4.1.311.67.1.1. ### Enable use of BitLocker authentication requiring preboot keyboard input on slates -This policy setting allows users to enable authentication options that require user input from the preboot environment even if the platform indicates a lack of preboot input capability. +### Enable use of BitLocker authentication requiring pre-boot keyboard input on slates | |   | |:---|:---| @@ -547,6 +545,7 @@ Conflict considerations include: - If you attempted to shrink the drive and create the system drive, the drive size is successfully reduced and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition will not be formatted. The following error message is displayed: "The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker." - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: "BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker." + 3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If you are upgrading computers in your organization from a previous version of Windows, and those computers were configured with a single partition, you should create the required BitLocker system partition before you apply this policy setting to the computers. ### Deny write access to removable drives not protected by BitLocker @@ -727,7 +726,7 @@ This policy controls whether fixed data drives utilize Used Space Only encryptio **Reference** -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. +This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] > This policy is ignored when you are shrinking or expanding a volume and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. @@ -750,7 +749,7 @@ This policy controls whether operating system drives utilize Full encryption or **Reference** -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. +This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. @@ -773,7 +772,7 @@ This policy controls whether fixed data drives utilize Full encryption or Used S **Reference** -This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose Used Space Only encryption to require that only the portion of the drive that is used to store data is encrypted when BitLocker is turned on. +This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on. > [!NOTE] > This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde -w`. If the volume is shrunk, no action is taken for the new free space. @@ -807,7 +806,7 @@ In **Configure user storage of BitLocker recovery information**, select whether Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If you select **Store recovery password and key packages**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If you select **Store recovery password only**, only the recovery password is stored in AD DS. Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. @@ -834,7 +833,7 @@ This policy is only applicable to computers running Windows Server 2008 or Windo Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key. -Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving it to a folder stores the 48-digit recovery password as a text file. Printing it sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. +Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving the recovery password to a folder stores the 48-digit recovery password as a text file. Printing the recovery password sends the 48-digit recovery password to the default printer. For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder. > [!IMPORTANT] > If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information. @@ -915,7 +914,7 @@ This policy setting is applied when you turn on BitLocker. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor. -In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. +In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. @@ -949,11 +948,11 @@ This policy setting is applied when you turn on BitLocker. The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor. -In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password. +In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password. Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you can't specify which recovery option to use when you enable BitLocker. Instead, BitLocker recovery options for the drive are determined by the policy setting. -In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. +In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. @@ -981,8 +980,8 @@ Enabling the **Configure the pre-boot recovery message and URL** policy setting Once you enable the setting, you have three options: - If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen. -- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box will be displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. -- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which will be displayed on the pre-boot recovery screen. +- If you select the **Use custom recovery message** option, type the custom message in the **Custom recovery message option** text box. The message that you type in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message. +- If you select the **Use custom recovery URL** option, type the custom message URL in the **Custom recovery URL option** text box. The URL that you type in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen. > [!IMPORTANT] > Not all characters and languages are supported in the pre-boot environment. We strongly recommended that you verify the correct appearance of the characters that you use for the custom message and URL on the pre-boot recovery screen. @@ -1006,8 +1005,8 @@ This policy controls how BitLocker-enabled system volumes are handled with the S **Reference** -Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. -When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. +Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. +When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker. > [!WARNING] > Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. @@ -1030,7 +1029,7 @@ This policy setting is used to establish an identifier that is applied to all dr These identifiers are stored as the identification field and the allowed identification field. The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. -An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field on the drive matches the value that is configured for the identification field. +An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field. For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde). @@ -1038,9 +1037,9 @@ The allowed identification field is used in combination with the **Deny write ac You can configure the identification fields on existing drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool. -When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an outside organization. +When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization. -Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value up to 260 characters. +Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters. ### Prevent memory overwrite on restart @@ -1094,9 +1093,9 @@ A platform validation profile consists of a set of PCR indices that range from 0 > [!NOTE] > Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. -The following list identifies all of the PCRs available: +The following list identifies all of the available PCRs: -- PCR 0: Core root-of-trust for measurement, BIOS, and Platform extensions +- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions - PCR 1: Platform and motherboard configuration and data. - PCR 2: Option ROM code - PCR 3: Option ROM data and configuration @@ -1141,7 +1140,7 @@ A platform validation profile consists of a set of PCR indices that range from 0 > [!NOTE] > The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only. -The following list identifies all of the PCRs available: +The following list identifies all of the available PCRs: - PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code - PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration @@ -1179,11 +1178,11 @@ This policy setting determines what values the TPM measures when it validates ea This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection. > [!IMPORTANT] -> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. +> This group policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. -A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). +A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). -The following list identifies all of the PCRs available: +The following list identifies all of the available PCRs: - PCR 0: Core System Firmware executable code - PCR 1: Core System Firmware data @@ -1249,7 +1248,7 @@ This policy setting determines specific Boot Configuration Data (BCD) settings t ### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows -This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and if the application is installed on the drive. +This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive. | |   | |:---|:---| @@ -1313,7 +1312,7 @@ You can edit the FIPS setting by using the Security Policy Editor (Secpol.msc) o For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). -## Power management Group Policy settings: Sleep and Hibernate +## Power management group policy settings: Sleep and Hibernate PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system’s battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This might lead to conditions where data security is compromised. @@ -1337,7 +1336,7 @@ reduces the likelihood of BitLocker starting in recovery mode as a result of fir PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol). -PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and Secure Boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. +PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default. ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 28c20974f7..f743aedb8a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -1,6 +1,6 @@ --- title: BitLocker How to deploy on Windows Server 2012 and later -description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later +description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f ms.reviewer: ms.prod: m365-security @@ -22,28 +22,30 @@ ms.custom: bitlocker > Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 -This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install. +This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed. ## Installing BitLocker -### To install BitLocker using Server Manager +### To install BitLocker using server manager -1. Open Server Manager by selecting the Server Manager icon or running servermanager.exe. +1. Open server manager by selecting the server manager icon or running servermanager.exe. 2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** -3. With the **Add Roles and Features Wizard** open, select **Next** at the **Before you begin** pane (if shown). -4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features Wizard** pane and select **Next** to continue. -5. Select the **Select a server from the server pool option** in the **Server Selection** pane and confirm the server for the BitLocker feature install. -6. Server roles and features install using the same wizard in Server Manager. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. -7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features Wizard**. The wizard will show the additional management features available for BitLocker. If you do not want to install these features, deselect the **Include management tools option** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. +3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). +4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. +5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. +6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. + **Note**: Server roles and features are installed by using the same wizard in Server Manager. +7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If you don't want to install these features, deselect the **Include management tools +** and select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. - > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for Encrypted Hard Drives on capable systems. + > **Note:**   The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.   -8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features Wizard** to begin BitLocker feature installation. The BitLocker feature requires a restart to complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane will force a restart of the computer after installation is complete. -9. If the **Restart the destination server automatically if required** check box is not selected, the **Results pane** of the **Add Roles and Features Wizard** will display the success or failure of the BitLocker feature installation. If required, a notification of additional action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. +8. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. +9. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. ### To install BitLocker using Windows PowerShell -Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules do not always share feature name parity. Because of this, it is advisable to confirm the feature or role name prior to installation. +Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism` module; however, the `servermanager` and `dism` modules don't always share feature name parity. Because of this, it's advisable to confirm the feature or role name prior to installation. >**Note:**  You must restart the server to complete the installation of BitLocker.   @@ -51,20 +53,20 @@ Windows PowerShell offers administrators another option for BitLocker feature in The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. -By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. +By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. This can be seen using the `-WhatIf` option in Windows PowerShell. ```powershell Install-WindowsFeature BitLocker -WhatIf ``` -The results of this command show that only the BitLocker Drive Encryption feature installs using this command. +The results of this command show that only the BitLocker Drive Encryption feature is installed using this command. -To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: +To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command: ```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` -The result of this command displays the following list of all the administration tools for BitLocker that would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). +The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS). - BitLocker Drive Encryption - BitLocker Drive Encryption Tools @@ -74,7 +76,7 @@ The result of this command displays the following list of all the administration - AD DS Tools - AD DS and AD LDS Tools -The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: +The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is: ```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart @@ -84,13 +86,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -   ### Using the dism module to install BitLocker -The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. +The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module doesn't support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. ```powershell Get-WindowsOptionalFeature -Online | ft ``` -From this output, we can see that there are three BitLocker related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. +From this output, we can see that there are three BitLocker-related optional feature names: BitLocker, BitLocker-Utilities and BitLocker-NetworkUnlock. To install the BitLocker feature, the BitLocker and BitLocker-Utilities features are the only required items. To install BitLocker using the `dism` module, use the following command: @@ -98,7 +100,7 @@ To install BitLocker using the `dism` module, use the following command: Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` -This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: +This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: ```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 80bc08da6e..da9fd23653 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -20,7 +20,7 @@ ms.date: 02/28/2019 ms.custom: bitlocker --- -# BitLocker: How to enable Network Unlock +# BitLocker: How to enable network unlock **Applies to** @@ -28,49 +28,48 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This article for IT professionals describes how BitLocker Network Unlock works and how to configure it. +This topic describes how BitLocker network unlock works and how to configure it. -Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. +Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. +Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. -Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers. +Network unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. -Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session. +## Network unlock core requirements -## Network Unlock core requirements +Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include: -Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems: +- Windows 8 or Windows Server 2012 as the current operating system. +- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients. +- Network Unlock clients with a TPM chip and at least one TPM protector. +- A server running the Windows Deployment Services (WDS) role on any supported server operating system. +- BitLocker Network Unlock optional feature installed on any supported server operating system. +- A DHCP server, separate from the WDS server. +- Properly configured public/private key pairing. +- Network Unlock group policy settings configured. -- You must be running at least Windows 8 or Windows Server 2012. -- Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client. -- Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector. -- You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system. -- The BitLocker Network Unlock optional feature can be installed on any supported server operating system. -- You must have a DHCP server, separate from the WDS server. -- You must have a properly configured public/private key pairing. -- Network Unlock Group Policy settings must be configured. - -The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer. +The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus; therefore, you need to confirm that the network stack has been enabled in the BIOS before starting the computer. > [!NOTE] > To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled. On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. -Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. +For network unlock to work reliably on computers running Windows 8 and later versions, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and must be used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because network unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails. -On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement. +The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. -Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server. +Network unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service must be running on the server. -The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key. +The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. ## Network Unlock sequence -The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. +The unlock sequence starts on the client side when the Windows boot manager detects the existence of network unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. -On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive. +On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming network unlock requests. You can also configure the provider with subnet restrictions, which would require that the IP address provided by the client in the network unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. -The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients. +The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM. @@ -81,8 +80,8 @@ The Network Unlock process follows these phases: 1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. 2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains: - - A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server. - - An AES-256 session key for the reply. + 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the network unlock certificate from the WDS server. + 2. An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. 5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. 6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. @@ -90,13 +89,13 @@ The Network Unlock process follows these phases: 8. This combined key is used to create an AES-256 key that unlocks the volume. 9. Windows continues the boot sequence. -## Configure Network Unlock +## Configure network unlock -The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012. +The following steps allow an administrator to configure network unlock in a domain where the Domain Functional Level is at least Windows Server 2012. ### Install the WDS server role -The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role. +The BitLocker network unlock feature installs the WDS role if it is not already installed. If you want to install it separately before you install BitLocker network unlock, you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. To install the role by using Windows PowerShell, use the following command: @@ -104,51 +103,51 @@ To install the role by using Windows PowerShell, use the following command: Install-WindowsFeature WDS-Deployment ``` -Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard. +You must configure the WDS server so that it can communicate with DHCP (and optionally AD DS) and the client computer. You can configure using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration wizard. ### Confirm the WDS service is running -To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service. +To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. -To confirm the service is running by using Windows PowerShell, use the following command: +To confirm that the service is running using Windows PowerShell, use the following command: ```powershell Get-Service WDSServer ``` ### Install the Network Unlock feature -To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**. +To install the network unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. To install the feature by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock -A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template: +A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. -1. Open the certificate template snap-in (`certtmpl.msc`). -2. Locate the user template. Right-click the template name, and then select **Duplicate Template**. -3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected. -4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**. -5. Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected. -6. Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) -7. Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**. -8. Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**. -9. Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**. -10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**. -11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**. -12. In the **Edit Application Policies Extension** dialog box, select **Add**. -13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy. +1. Open the Certificates Template snap-in (certtmpl.msc). +2. Locate the User template, right-click the template name and select **Duplicate Template**. +3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected. +4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option. +5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected. +6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) +7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as **Microsoft Software Key Storage Provider**. +8. Select the **Subject Name** tab. Select **Supply in the request**. Click **OK** if the certificate templates pop-up dialog appears. +9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. +10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**. +11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. +12. On the **Edit Application Policies Extension** dialog box, select **Add**. +13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: - - **Name**: **BitLocker Network Unlock** - - **Object Identifier**: **1.3.6.1.4.1.311.67.1.1** + - **Name:** **BitLocker Network Unlock** + - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** -14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**. -15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**. +14. Select the newly created **BitLocker Network Unlock** application policy and click **OK**. +15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. -17. Select **OK** to complete configuration of the template. +17. Click **OK** to complete configuration of the template. To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. @@ -159,7 +158,6 @@ After you add the Network Unlock template to the certificate authority, you can Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate. To enroll a certificate from an existing certificate authority: - 1. On the WDS server, open Certificate Manager by using `certmgr.msc`. 2. Under **Certificates - Current User**, right-click **Personal**. 3. Select **All Tasks** > **Request New Certificate**. @@ -170,12 +168,14 @@ To enroll a certificate from an existing certificate authority: 7. Create the certificate. Ensure the certificate appears in the **Personal** folder. 8. Export the public key certificate for Network Unlock: - 1. Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**. + 1. Create a .cer file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. 2. Select **No, do not export the private key**. - 3. Select **DER encoded binary X.509**, and then finish exporting the certificate to a file. - 4. Give the file a name, such as *BitLocker-NetworkUnlock.cer*. -9. Export the public key with a private key for Network Unlock: - 1. Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**. + 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. + 4. Give the file a name such as BitLocker-NetworkUnlock.cer. + +9. Export the public key with a private key for Network Unlock. + + 1. Create a .pfx file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**. 2. Select **Yes, export the private key**. 3. Complete the steps to create the *.pfx* file. @@ -189,7 +189,7 @@ New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN= Here's a `certreq` example: -1. Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*. +1. Create a text file with an .inf extension, for example, notepad.exe BitLocker-NetworkUnlock.inf. 2. Add the following contents to the previously created file: ```ini @@ -216,60 +216,56 @@ Here's a `certreq` example: ```cmd certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` - -4. Verify the previous command properly created the certificate by confirming the *.cer* file exists. -5. Launch **Certificates - Local Machine** by running `certlm.msc`. -6. Create a *.pfx* file by opening the *Certificates – Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file. +4. Verify that certificate was properly created by the previous command by confirming that the .cer file exists. +5. Launch Certificates - Local Machine by running **certlm.msc**. +6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, and then selecting **Export**. Follow through the wizard to create the .pfx file. ### Deploy the private key and certificate to the WDS server Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: -1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer. -2. Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**. -3. In the **File to Import** dialog box, choose the *.pfx* file that you created previously. -4. Enter the password that you used to create the *.pfx* file, and finish the steps. +1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. +2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item -, select **All Tasks**, and then select **Import**. +3. In the **File to Import** dialog, choose the .pfx file created previously. +4. Enter the password used to create the .pfx and complete the wizard. -### Configure Group Policy settings for Network Unlock +### Configure group policy settings for network unlock -You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC. +With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. -To enable the Group Policy setting that's required to configure Network Unlock: +The following steps describe how to enable the group policy setting that is a requirement for configuring network unlock. 1. Open Group Policy Management Console (`gpmc.msc`). 2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. -To deploy the required Group Policy setting: +The following steps describe how to deploy the required group policy setting: > [!NOTE] -> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. +> The group policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. 1. Copy the *.cer* file that you created for Network Unlock to the domain controller. 2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 4. Deploy the public certificate to clients: - - 1. In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*. - 2. Right-click the folder, and then choose **Add Network Unlock Certificate**. - 3. Follow the steps and import the *.cer* file that you copied earlier. + 1. Within group policy management console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**. + 2. Right-click the folder and select **Add Network Unlock Certificate**. + 3. Follow the wizard steps and import the .cer file that was copied earlier. > [!NOTE] > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer. 5. Reboot the clients after you deploy the Group Policy. > [!NOTE] - > The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store. + > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store. ### Subnet policy configuration files on the WDS server (optional) -By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking. +By default, all clients with the correct network unlock certificate and valid Network Unlock protectors that have wired access to a network unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the network unlock clients can use to unlock. -The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests. +The configuration file, called bde-network-unlock.ini, must be located in the same directory as the network unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests. -The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections. - -Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names. +The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name–value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. ```ini [SUBNETS] @@ -278,19 +274,13 @@ SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` - -Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate. +Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate. > [!NOTE] -> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail. +> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid. -Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate. - -So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section. - -Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies. - -To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon. +Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every network unlock certificate on the server, and an explicit allowed list set for each certificate section. +Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. ```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] @@ -305,29 +295,30 @@ To disallow the use of a certificate altogether, add a `DISABLED` line to its su ## Turn off Network Unlock -To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain. + +To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating network unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker network unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. > [!NOTE] -> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server. +> Removing the FVE_NKP certificate store that contains the network unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the network unlock server. ## Update Network Unlock certificates -To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller. +To update the certificates used by network unlock, administrators need to import or generate the new certificate for the server and then update the network unlock certificate group policy setting on the domain controller. > [!NOTE] > Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate. ## Troubleshoot Network Unlock -To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items: +Troubleshooting network unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include: -- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode. +- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started. -- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer. -- Group Policy for Network Unlock is enabled and linked to the appropriate domains. -- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility. -- The clients were rebooted after the policy was applied. -- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer. +- Public and private certificates have been published and are in the proper certificate containers. The presence of the network unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. +- Group policy for network unlock is enabled and linked to the appropriate domains. +- Verify whether group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. +- Verify whether the clients were rebooted after applying the policy. +- Verify whether the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer: ```powershell manage-bde -protectors -get C: @@ -350,7 +341,6 @@ Gather the following files to troubleshoot BitLocker Network Unlock. 1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. 1. In the right pane, select **Enable Log**. - - The DHCP subnet configuration file (if one exists). - The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. - The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address. @@ -366,12 +356,12 @@ Your system must meet these requirements: Follow these steps to configure Network Unlock on these older systems. -1. [Install the WDS server role.](#bkmk-installwdsrole) -2. [Confirm the WDS service is running.](#bkmk-confirmwdsrunning) -3. [Install the Network Unlock feature.](#bkmk-installnufeature) -4. [Create the Network Unlock certificate.](#bkmk-createcert) -5. [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert) -6. Configure registry settings for Network Unlock: +1. [Install the WDS Server role](#bkmk-installwdsrole) +2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning) +3. [Install the Network Unlock feature](#bkmk-installnufeature) +4. [Create the Network Unlock certificate](#bkmk-createcert) +5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert) +6. Configure registry settings for network unlock: Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article. @@ -387,7 +377,7 @@ Follow these steps to configure Network Unlock on these older systems. ``` 7. Set up a TPM protector on the clients. -8. Reboot the clients to add the **Network (Certificate Based)** protector. +8. Reboot the clients to add the Network (certificate based) protector. ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 2b8382dfa8..df962a8ff5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -23,6 +23,7 @@ title: BitLocker Overview and Requirements FAQ summary: | **Applies to** - Windows 10 + - Windows 11 sections: diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index a5d4bf4e49..41c1be27f1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -1,5 +1,5 @@ --- -title: BitLocker (Windows 10) +title: BitLocker description: This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. ms.assetid: 40526fcc-3e0d-4d75-90e0-c7d0615f33b2 ms.author: dansimp @@ -102,4 +102,4 @@ When installing the BitLocker optional component on a server you will also need | [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 11, Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. | | [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. | | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| -| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows IoT Core | \ No newline at end of file +| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows IoT Core | diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index c059f9b372..76782a084f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -1,16 +1,11 @@ --- -title: Breaking out of a Bitlocker recovery loop -description: This topic for IT professionals describes how to break out of a Bitlocker recovery loop. -ms.assetid: #c40f87ac-17d3-47b2-afc6-6c641f72ecee +title: Breaking out of a BitLocker recovery loop +description: This article for IT professionals describes how to break out of a BitLocker recovery loop. ms.prod: m365-security -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -ms.author: v-maave -author: dansimp +author: aczechowski +ms.author: aaroncz manager: dansimp -audience: ITPro ms.collection: - M365-security-compliance - highpri @@ -19,25 +14,21 @@ ms.date: 10/28/2019 ms.custom: bitlocker --- -# Breaking out of a Bitlocker recovery loop +# Breaking out of a BitLocker recovery loop -Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This can be very frustrating. +Sometimes, following a crash, you might be unable to successfully boot into your operating system, due to the recovery screen repeatedly prompting you to enter your recovery key. This experience can be frustrating. -If you've entered the correct Bitlocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. +If you've entered the correct BitLocker recovery key multiple times, and are still unable to continue past the initial recovery screen, follow these steps to break out of the loop. > [!NOTE] -> Only try these steps after you have restarted your device at least once. +> Try these steps only after you have restarted your device at least once. -1. On the initial recovery screen, don't enter your recovery key. Instead, select **Skip this drive**. +1. On the initial recovery screen, don't enter your recovery key, instead, select **Skip this drive**. -1. On the next screen, select **Troubleshoot**. +2. Navigate to **Troubleshoot** > **Advanced options**, and select **Command prompt**. -1. On the Troubleshoot screen, select **Advanced options**. +3. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` -1. On the Advanced options screen, select **Command prompt**. +4. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` -1. From the WinRE command prompt, manually unlock your drive: `manage-bde.exe -unlock C: -rp ` - -1. Suspend operating system drive protection: `manage-bde.exe -protectors -disable C:` - -1. Once the last command is run, you can safely exit the command prompt and continue to boot into your operating system +5. Once the last command is run, you can exit the command prompt and continue to boot into your operating system. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 9e53801a67..53a8a654a2 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -28,7 +28,7 @@ ms.custom: bitlocker - Windows 11 - Windows Server 2016 and above -This topic for the IT professional describes how to use the BitLocker Recovery Password Viewer. +This topic describes how to use the BitLocker Recovery Password Viewer. The BitLocker Recovery Password Viewer tool is an optional tool included with the Remote Server Administration Tools (RSAT). It lets you locate and view BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). You can use this tool to help recover data that is stored on a drive that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer tool is an extension for the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in. Using this tool, you can examine a computer object's **Properties** dialog box to view the corresponding BitLocker recovery passwords. Additionally you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. You can also search for a password by password identifier (ID). @@ -38,7 +38,7 @@ To complete the procedures in this scenario: - You must have domain administrator credentials. - Your test computers must be joined to the domain. -- On the test computers, BitLocker must have been turned on after joining the domain. +- On the domain-joined test computers, BitLocker must have been turned on. The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md index 975f5a78cf..5da7725f1d 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md @@ -18,12 +18,12 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known issues -This article describes common issues that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] -> If you have determined that your BitLocker issue involves the Trusted Platform Module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). +> If you have determined that your BitLocker issue involves the trusted platform module (TPM), see [BitLocker cannot encrypt a drive: known TPM issues](ts-bitlocker-cannot-encrypt-tpm-issues.md). -## Error 0x80310059: BitLocker Drive Encryption is already performing an operation on this drive +## Error 0x80310059: BitLocker drive encryption is already performing an operation on this drive When you turn on BitLocker Drive Encryption on a computer that is running Windows 10 Professional or Windows 11, you receive a message that resembles the following: @@ -31,7 +31,7 @@ When you turn on BitLocker Drive Encryption on a computer that is running Window ### Cause -This issue may be caused by settings that are controlled by Group Policy Objects (GPOs). +This issue may be caused by settings that are controlled by group policy objects (GPOs). ### Resolution @@ -49,7 +49,7 @@ To resolve this issue, follow these steps: - **OSPlatformValidation\_UEFI** - **PlatformValidation** -1. Exit Registry Editor, and turn on BitLocker Drive Encryption again. +1. Exit registry editor, and turn on BitLocker drive encryption again. ## "Access is denied" message when you try to encrypt removable drives @@ -69,7 +69,7 @@ You receive this message on any computer that runs Windows 10 version 1709 or ve ### Cause -The security descriptor of the BitLocker Drive Encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE. +The security descriptor of the BitLocker drive encryption service (BDESvc) has an incorrect entry. Instead of NT AUTHORITY\Authenticated Users, the security descriptor uses NT AUTHORITY\INTERACTIVE. To verify that this issue has occurred, follow these steps: @@ -89,7 +89,7 @@ To verify that this issue has occurred, follow these steps: ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png) - If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: + If you see NT AUTHORITY\INTERACTIVE (as highlighted) in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following: ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md index bf8bc4bec3..2609cccafb 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md @@ -18,14 +18,14 @@ ms.custom: bitlocker # BitLocker cannot encrypt a drive: known TPM issues -This article describes common issues that affect the Trusted Platform Module (TPM) and that may prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. +This article describes common issues that affect the Trusted Platform Module (TPM) that might prevent BitLocker from encrypting a drive. This article also provides guidance to address these issues. > [!NOTE] > If you have determined that your BitLocker issue does not involve the TPM, see [BitLocker cannot encrypt a drive: known issues](ts-bitlocker-cannot-encrypt-issues.md). ## The TPM is locked and you see "The TPM is defending against dictionary attacks and is in a time-out period" -When you turn on BitLocker Drive Encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +When you turn on BitLocker drive encryption, it does not start. Instead, you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -42,13 +42,12 @@ To resolve this issue, follow these steps: $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)} ``` - -1. Restart the computer. If you are prompted at the restart screen, press F12 to agree. -1. Try again to start BitLocker Drive Encryption. +2. Restart the computer. If you are prompted at the restart screen, press F12 to agree.8 +3. Retry starting BitLocker drive encryption. ## You cannot prepare the TPM, and you see "The TPM is defending against dictionary attacks and is in a time-out period" -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you receive a message that resembles "The TPM is defending against dictionary attacks and is in a time-out period." ### Cause @@ -59,11 +58,11 @@ The TPM is locked out. To resolve this issue, disable and re-enable the TPM. To do this, follow these steps: 1. Restart the device, and change the BIOS configuration to disable the TPM. -1. Restart the device again, and return to the TPM management console. You should receive a message that resembles the following: +2. Restart the device again, and return to the TPM management console. Following message is displayed: > Compatible Trusted Platform Module (TPM) cannot be found on this computer. Verify that this computer has 1.2 TPM and it is turned on in the BIOS. -1. Restart the device, and change the BIOS configuration to enable the TPM. -1. Restart the device, and return to the TPM management console. +3. Restart the device, and change the BIOS configuration to enable the TPM. +4. Restart the device, and return to the TPM management console. If you still cannot prepare the TPM, clear the existing TPM keys. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). @@ -72,11 +71,11 @@ If you still cannot prepare the TPM, clear the existing TPM keys. To do this, fo ## Access Denied: Failed to backup TPM Owner Authorization information to Active Directory Domain Services. Errorcode: 0x80070005 -You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker Drive Encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." +You have an environment that enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. You try to turn on BitLocker drive encryption on a computer that runs Windows 7, but the operation fails. You receive a message that resembles "Access Denied" or "Insufficient Rights." ### Cause -The TPM did not have sufficient permissions on the TPM Devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker Drive Encryption could not run. +The TPM did not have sufficient permissions on the TPM devices container in Active Directory Domain Services (AD DS). Therefore, the BitLocker recovery information could not be backed up to AD DS, and BitLocker drive encryption could not run. This issue appears to be limited to computers that run versions of Windows that are earlier than Windows 10. @@ -84,7 +83,7 @@ This issue appears to be limited to computers that run versions of Windows that To verify that you have correctly identified this issue, use one of the following methods: -- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker Drive Encryption again. The operation should now succeed. +- Disable the policy or remove the computer from the domain. Then try to turn on BitLocker drive encryption again. The operation should now succeed. - Use LDAP and network trace tools to examine the LDAP exchanges between the client and the AD DS domain controller to identify the cause of the "Access Denied" or "Insufficient Rights" error. In this case, you should see the error when the client tries to access its object in the "CN=TPM Devices,DC=\<*domain*>,DC=com" container. 1. To review the TPM information for the affected computer, open an elevated Windows PowerShell window and run the following command: @@ -95,13 +94,13 @@ To verify that you have correctly identified this issue, use one of the followin In this command, *ComputerName* is the name of the affected computer. -1. To resolve the issue, use a tool such as dsacls.exe to make sure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. +1. To resolve the issue, use a tool such as dsacls.exe to ensure that the access control list of msTPM-TPMInformationForComputer grants both Read and Write permissions to NTAUTHORITY/SELF. ## Cannot prepare the TPM, error 0x80072030: "There is no such object on the server" -Your domain controllers were upgraded from Windows Server 2008 R2to Windows Server 2012 R2. A Group Policy Object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. +Your domain controllers were upgraded from Windows Server 2008 R2 to Windows Server 2012 R2. A group policy object (GPO) enforces the **Do not enable BitLocker until recovery information is stored in AD DS** policy. -You cannot turn on BitLocker Drive Encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: +You cannot turn on BitLocker drive encryption on a device. You use the TPM management console (tpm.msc) to prepare the TPM on a device. The operation fails and you see a message that resembles the following: > 0x80072030 There is no such object on the server when a policy to back up TPM information to active directory is enabled @@ -109,7 +108,7 @@ You have confirmed that the **ms-TPM-OwnerInformation** and **msTPM-TpmInformati ### Cause -The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS may not be correctly set. +The domain and forest functional level of the environment may still be set to Windows 2008 R2. Additionally, the permissions in AD DS might not be correctly set. ### Resolution diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md index 8694e1f531..6898a72c8c 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-config-issues.md @@ -18,13 +18,13 @@ ms.custom: bitlocker # BitLocker configuration: known issues -This article describes common issues that affect your BitLocker configuration and BitLocker's general functionality. This article also provides guidance to address these issues. +This article describes common issues that affect your BitLocker's configuration and general functionality. This article also provides guidance to address these issues. ## BitLocker encryption is slower in Windows 10 and Windows 11 In both Windows 11, Windows 10, and Windows 7, BitLocker runs in the background to encrypt drives. However, in Windows 11 and Windows 10, BitLocker is less aggressive about requesting resources. This behavior reduces the chance that BitLocker will affect the computer's performance. -To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and any internal drives are always encrypted *as soon as you turn on BitLocker*. +To compensate for these changes, BitLocker uses a new conversion model. This model, (referred to as Encrypt-On-Write), makes sure that any new disk writes on all client SKUs and that any internal drives are always encrypted *as soon as you turn on BitLocker*. > [!IMPORTANT] > To preserve backward compatibility, BitLocker uses the previous conversion model to encrypt removable drives. @@ -41,7 +41,7 @@ After Windows 7 was released, several other areas of BitLocker were improved: - **New encryption algorithm, XTS-AES**. The new algorithm provides additional protection from a class of attacks on encrypted data that rely on manipulating cipher text to cause predictable changes in plain text. - By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS are United States Government standards that provide a benchmark for implementing cryptographic software. + By default, this algorithm complies with the Federal Information Processing Standards (FIPS). FIPS is a United States Government standard that provides a benchmark for implementing cryptographic software. - **Improved administration features**. You can manage BitLocker on PCs or other devices by using the following interfaces: - BitLocker Wizard @@ -90,12 +90,12 @@ This issue occurs regardless of any of the following variations in the environme - Whether the VMs are generation 1 or generation 2. - Whether the guest operating system is Windows Server 2019, 2016 or 2012 R2. -In the domain controller Application log, the VSS event source records event ID 8229: +In the domain controller application log, the VSS event source records event ID 8229: > ID: 8229 > Level: Warning > ‎Source: VSS -> Message: A VSS writer has rejected an event with error 0x800423f4, The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. +> Message: A VSS writer has rejected an event with error 0x800423f4. The writer experienced a non-transient error. If the backup process is retried, the error is likely to reoccur. > > Changes that the writer made to the writer components while handling the event will not be available to the requester. > diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md index 03d5462401..a15efdcb28 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md @@ -39,7 +39,7 @@ If you do not have a clear trail of events or error messages to follow, other ar - [Review the hardware requirements for using Intune to manage BitLocker on devices](/windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption-hardware-requirements) - [Review your BitLocker policy configuration](#policy) -For information about how to verify that Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). +For information about the procedure to verify whether Intune policies are enforcing BitLocker correctly, see [Verifying that BitLocker is operating correctly](#verifying-that-bitlocker-is-operating-correctly). ## Event ID 853: Error: A compatible Trusted Platform Module (TPM) Security Device cannot be found on this computer @@ -49,7 +49,7 @@ Event ID 853 can carry different error messages, depending on the context. In th ### Cause -The device that you are trying to secure may not have a TPM chip, or the device BIOS might be configured to disable the TPM. +The device that you are trying to secure may not have a TPM chip, or the device BIOS might have been configured to disable the TPM. ### Resolution @@ -70,9 +70,9 @@ In this case, you see event ID 853, and the error message in the event indicates ### Cause -During the provisioning process, BitLocker Drive Encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. +During the provisioning process, BitLocker drive encryption records the configuration of the device to establish a baseline. If the device configuration changes later (for example, if you remove the media), BitLocker recovery mode automatically starts. -To avoid this situation, the provisioning process stops if it detects removable bootable media. +To avoid this situation, the provisioning process stops if it detects a removable bootable media. ### Resolution @@ -90,7 +90,7 @@ The event information resembles the following: Windows Recovery Environment (WinRE) is a minimal Windows operating system that is based on Windows Preinstallation Environment (Windows PE). WinRE includes several tools that an administrator can use to recover or reset Windows and diagnose Windows issues. If a device cannot start the regular Windows operating system, the device tries to start WinRE. -The provisioning process enables BitLocker Drive Encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. +The provisioning process enables BitLocker drive encryption on the operating system drive during the Windows PE phase of provisioning. This action makes sure that the drive is protected before the full operating system is installed. The provisioning process also creates a system partition for WinRE to use if the system crashes. If WinRE is not available on the device, provisioning stops. @@ -104,7 +104,7 @@ The procedures described in this section depend on the default disk partitions t ![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png) -To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands: +To verify the configuration of the disk partitions, open an elevated Command Prompt window and run the following commands: ```console diskpart @@ -113,7 +113,7 @@ list volume ![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png) -If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager). +If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager): ![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg) @@ -124,7 +124,6 @@ To verify the status of WinRE on the device, open an elevated Command Prompt win ```console reagentc /info ``` - The output of this command resembles the following. ![Output of the reagentc /info command.](./images/4509193-en-1.png) @@ -137,13 +136,13 @@ reagentc /enable #### Step 3: Verify the Windows Boot Loader configuration -If the partition status is healthy, but the **reagentc /enable** command results in an error, verify that Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: +If the partition status is healthy, but the **reagentc /enable** command results in an error, verify whether the Windows Boot Loader contains the recovery sequence GUID. To do this, run the following command in an elevated Command Prompt window: ```console bcdedit /enum all ``` -The output of this command resembles the following. +The output of this command resembles the following: :::image type="content" alt-text="Output of the bcdedit /enum all command." source="./images/4509196-en-1.png" lightbox="./images/4509196-en-1.png"::: @@ -159,11 +158,11 @@ The event information resembles the following: ### Cause -The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker Drive Encryption does not support legacy BIOS. +The device must have Unified Extensible Firmware Interface (UEFI) BIOS. Silent BitLocker drive encryption does not support legacy BIOS. ### Resolution -To verify the BIOS mode, use the System Information app. To do this, follow these steps: +To verify the BIOS mode, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. @@ -174,7 +173,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device. > [!NOTE] - > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device. + > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker device encryption on the device. ## Error message: The UEFI variable 'SecureBoot' could not be read @@ -184,11 +183,11 @@ You receive an error message that resembles the following: ### Cause -A Platform Configuration Register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of Secure Boot. Silent BitLocker Drive Encryption requires that Secure Boot is turned on. +A platform configuration register (PCR) is a memory location in the TPM. In particular, PCR 7 measures the state of secure boot. Silent BitLocker drive encryption requires the secure boot to be turned on. ### Resolution -You can resolve this issue by verifying the PCR validation profile of the TPM and the Secure Boot state. To do this, follow these steps: +You can resolve this issue by verifying the PCR validation profile of the TPM and the secure boot state. To do this, follow these steps: #### Step 1: Verify the PCR validation profile of the TPM @@ -198,17 +197,17 @@ To verify that PCR 7 is in use, open an elevated Command Prompt window and run t Manage-bde -protectors -get %systemdrive% ``` -In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows. +In the TPM section of the output of this command, verify whether the **PCR Validation Profile** setting includes **7**, as follows: ![Output of the manage-bde command.](./images/4509199-en-1.png) -If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on. +If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then secure boot is not turned on. ![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png) -#### 2. Verify the Secure Boot state +#### 2. Verify the secure boot state -To verify the Secure Boot state, use the System Information app. To do this, follow these steps: +To verify the secure boot state, use the System Information application. To do this, follow these steps: 1. Select **Start**, and enter **msinfo32** in the **Search** box. @@ -229,7 +228,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol > > If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns "True." > -> If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns "False." +> If the computer supports secure boot and secure boot is disabled, this cmdlet returns "False." > > If the computer does not support Secure Boot or is a BIOS (non-UEFI) computer, this cmdlet returns "Cmdlet not supported on this platform." @@ -237,7 +236,7 @@ To verify the Secure Boot state, use the System Information app. To do this, fol In this case, you are deploying Intune policy to encrypt a Windows 11, Windows 10, version 1809 device, and store the recovery password in Azure Active Directory (Azure AD). As part of the policy configuration, you have selected the **Allow standard users to enable encryption during Azure AD Join** option. -The policy deployment fails and generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): +The policy deployment fails and the failure generates the following events (visible in Event Viewer in the **Applications and Services Logs\\Microsoft\\Windows\\BitLocker API** folder): > Event ID:846 > @@ -270,7 +269,7 @@ The issue affects Windows 11 and Windows 10 version 1809. To resolve this issue, install the [May 21, 2019](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934) update. -## Error message: There are conflicting Group Policy settings for recovery options on operating system drives +## Error message: There are conflicting group policy settings for recovery options on operating system drives You receive a message that resembles the following: @@ -278,13 +277,13 @@ You receive a message that resembles the following: ### Resolution -To resolve this issue, review your Group Policy Object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). +To resolve this issue, review your group policy object (GPO) settings for conflicts. For further guidance, see the next section, [Review your BitLocker policy configuration](#policy). For more information about GPOs and BitLocker, see [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)). ## Review your BitLocker policy configuration -For information about how to use policy together with BitLocker and Intune, see the following resources: +For information about the procedure to use policy together with BitLocker and Intune, see the following resources: - [BitLocker management for enterprises: Managing devices joined to Azure Active Directory](./bitlocker-management-for-enterprises.md#managing-devices-joined-to-azure-active-directory) - [BitLocker Group Policy Reference](/previous-versions/windows/it-pro/windows-7/ee706521(v=ws.10)) @@ -302,7 +301,7 @@ Intune offers the following enforcement types for BitLocker: If your device runs Windows 10 version 1703 or later, or Windows 11, supports Modern Standby (also known as Instant Go) and is HSTI-compliant, joining the device to Azure AD triggers automatic device encryption. A separate endpoint protection policy is not required to enforce device encryption. -If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following: +If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker drive encryption. The settings for this policy should resemble the following: ![Intune policy settings.](./images/4509186-en-1.png) @@ -320,7 +319,7 @@ The OMA-URI references for these settings are as follows: > Because of an update to the BitLocker Policy CSP, if the device uses Windows 10 version 1809 or later, or Windows 11, you can use an endpoint protection policy to enforce silent BitLocker Device Encryption even if the device is not HSTI-compliant. > [!NOTE] -> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker Drive Encryption wizard. +> If the **Warning for other disk encryption** setting is set to **Not configured**, you have to manually start the BitLocker drive encryption wizard. If the device does not support Modern Standby but is HSTI-compliant, and it uses a version of Windows that is earlier than Windows 10, version 1803, or Windows 11, an endpoint protection policy that has the settings that are described in this article delivers the policy configuration to the device. However, Windows then notifies the user to manually enable BitLocker Drive Encryption. To do this, the user selects the notification. This action starts the BitLocker Drive Encryption wizard. @@ -339,11 +338,11 @@ The OMA-URI references for these settings are as follows: Value: **1** > [!NOTE] -> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**. Intune can enforce silent BitLocker encryption for Autopilot devices that have standard user profiles. +> This node works together with the **RequireDeviceEncryption** and **AllowWarningForOtherDiskEncryption** nodes. For this reason, when you set **RequireDeviceEncryption** to **1**, **AllowStandardUserEncryption** to **1**, and **AllowWarningForOtherDiskEncryption** to **0**, Intune enforces silent BitLocker encryption for Autopilot devices that have standard user profiles. ## Verifying that BitLocker is operating correctly -During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845. +During regular operations, BitLocker drive encryption generates events such as Event ID 796 and Event ID 845. ![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png) diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md index f5f495064d..df10782087 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md @@ -1,89 +1,90 @@ --- -title: BitLocker Network Unlock known issues -description: Describes several known issues that you may encounter while using Network Unlock, and provided guidance for addressing those issues. -ms.reviewer: kaushika +title: BitLocker network unlock known issues +description: Describes several known issues that you may encounter while using network unlock, and provided guidance for addressing those issues. ms.technology: windows-sec ms.prod: m365-security -ms.sitesec: library ms.localizationpriority: medium author: Teresa-Motiv ms.author: v-tappelgate manager: kaushika -audience: ITPro +ms.reviewer: kaushika ms.collection: Windows Security Technologies\BitLocker ms.topic: troubleshooting -ms.date: 10/7/2019 ms.custom: bitlocker --- -# BitLocker Network Unlock: known issues +# BitLocker network unlock: known issues -By using the BitLocker Network Unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To do this, You have to configure your environment to meet the following requirements: +By using the BitLocker network unlock feature, you can manage computers remotely without having to enter a BitLocker PIN when each computer starts up. To configure this behavior, your environment needs to meet the following requirements: -- Each computer belongs to a domain -- Each computer has a wired connection to the corporate network -- The corporate network uses DHCP to manage IP addresses -- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware +- Each computer belongs to a domain. +- Each computer has a wired connection to the internal network. +- The internal network uses DHCP to manage IP addresses. +- Each computer has a DHCP driver implemented in its Unified Extensible Firmware Interface (UEFI) firmware. -For general guidelines about how to troubleshoot Network Unlock, see [How to enable Network Unlock: Troubleshoot Network Unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock). +For general guidelines about how to troubleshoot network unlock, see [How to enable network unlock: Troubleshoot network unlock](./bitlocker-how-to-enable-network-unlock.md#troubleshoot-network-unlock). -This article describes several known issues that you may encounter when you use Network Unlock, and provides guidance to address these issues. +This article describes several known issues that you may encounter when you use network unlock, and provides guidance to address these issues. -## Tip: Detect whether BitLocker Network Unlock is enabled on a specific computer +## Tip: Detect whether BitLocker network unlock is enabled on a specific computer -You can use the following steps on computers that have either x64 or x32 UEFI systems. You can also script these commands. +You can use the following steps on computers with either x64 or x32 UEFI firmware. You can also script these commands. -1. Open an elevated Command Prompt window and run the following command: +1. Open an elevated command prompt window and run the following command: ```cmd - manage-bde protectors get + manage-bde -protectors -get + ``` + + ```cmd + manage-bde -protectors -get C: ``` - where \<*Drive*> is the drive letter, followed by a colon (:), of the bootable drive. - If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker Network Unlock. + Where `` is the drive letter, followed by a colon (`:`), of the bootable drive. + If the output of this command includes a key protector of type **TpmCertificate (9)**, the configuration is correct for BitLocker network unlock. 1. Start Registry Editor, and verify the following settings: - - Entry **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE: OSManageNKP** is set to **1** - - Subkey **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP\\Certificates** has an entry whose name matches the name of the certificate thumbprint of the Network Unlock key protector that you found in step 1. + - Entry `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE: OSManageNKP` is set to `1`. + - Subkey `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\FVE_NKP\Certificates` has an entry whose name matches the name of the certificate thumbprint of the network unlock key protector that you found in step 1. -## On a Surface Pro 4 device, BitLocker Network Unlock does not work because the UEFI network stack is incorrectly configured +## 1. On a Surface Pro 4 device, BitLocker network unlock doesn't work because the UEFI network stack is incorrectly configured -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. +You've configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You've configured the UEFI of the device to use DHCP. However, when you restart the device, it still prompts you for the BitLocker PIN. -You test another device, such as a different type of tablet or laptop PC, that is configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. +You test another device, such as a different type of tablet or laptop PC that's configured to use the same infrastructure. The device restarts as expected, without prompting for the BitLocker PIN. You conclude that the infrastructure is correctly configured, and the issue is specific to the device. -### Cause +### Cause of issue 1 -The UEFI network stack on the device was incorrectly configured. +The UEFI network stack on the device was incorrectly configured. -### Resolution +### Resolution for issue 1 To correctly configure the UEFI network stack of the Surface Pro 4, you have to use Microsoft Surface Enterprise Management Mode (SEMM). For information about SEMM, see [Enroll and configure Surface devices with SEMM](/surface/enroll-and-configure-surface-devices-with-semm). > [!NOTE] -> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker Network Unlock by configuring the device to use the network as its first boot option. +> If you cannot use SEMM, you may be able to configure the Surface Pro 4 to use BitLocker network unlock by configuring the device to use the network as its first boot option. -## Unable to use BitLocker Network Unlock feature on a Windows client computer +## 2. Unable to use BitLocker network unlock feature on a Windows client computer -You have configured BitLocker Network Unlock as described in [BitLocker: How to enable Network Unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8-based client computer that is connected to the corporate LAN by using an Ethernet Cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. +You have configured BitLocker network unlock as described in [BitLocker: How to enable network unlock](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock). You have a Windows 8 client computer that is connected to the internal network with an ethernet cable. However, when you restart the computer, it still prompts you for the BitLocker PIN. -### Cause +### Cause of issue 2 -A Windows 8-based or Windows Server 2012-based client computer sometimes does not receive or use the Network Unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. +A Windows 8-based or Windows Server 2012-based client computer sometimes doesn't receive or use the network unlock protector, depending on whether the client receives unrelated BOOTP replies from a DHCP server or WDS server. -DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. +DHCP servers may send any DHCP options to a BOOTP client as allowed by the DHCP options and BOOTP vendor extensions. This behavior means that because a DHCP server supports BOOTP clients, the DHCP server replies to BOOTP requests. The manner in which a DHCP server handles an incoming message depends in part on whether the message uses the Message Type option: -- The first two messages that the BitLocker Network Unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. -- The third message that the BitLocker Network Unlock client sends does not have the Message Type option. The DHCP server treats the message as a BOOTP request. +- The first two messages that the BitLocker network unlock client sends are DHCP DISCOVER\REQUEST messages. They use the Message Type option, so the DHCP server treats them as DHCP messages. +- The third message that the BitLocker network unlock client sends doesn't have the Message Type option. The DHCP server treats the message as a BOOTP request. -A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client does not send a DHCPREQUEST message, nor does that client expect a DHCPACK message. +A DHCP server that supports BOOTP clients must interact with those clients according to the BOOTP protocol. The server must create a BOOTP BOOTREPLY message instead of a DHCP DHCPOFFER message. (In other words, the server must not include the DHCP message option type and must not exceed the size limit for BOOTREPLY messages.) After the server sends the BOOTP BOOTREPLY message, the server marks a binding for a BOOTP client as BOUND. A non-DHCP client doesn't send a DHCPREQUEST message, nor does that client expect a DHCPACK message. -If a DHCP server that is not configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. +If a DHCP server that isn't configured to support BOOTP clients receives a BOOTREQUEST message from a BOOTP client, that server silently discards the BOOTREQUEST message. -For more information about DHCP and BitLocker Network Unlock, see [BitLocker: How to enable Network Unlock: Network Unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence) +For more information about DHCP and BitLocker network unlock, see [BitLocker: How to enable network unlock: network unlock sequence](/windows/device-security/bitlocker/bitlocker-how-to-enable-network-unlock#network-unlock-sequence). -### Resolution +### Resolution for issue 2 -To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. \ No newline at end of file +To resolve this issue, change the configuration of the DHCP server by changing the **DHCP** option from **DHCP and BOOTP** to **DHCP**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md index e32e261067..cd0ae7ec94 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-recovery-issues.md @@ -20,7 +20,7 @@ ms.custom: bitlocker # BitLocker recovery: known issues -This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article provides guidance to address these issues. +This article describes common issues that may prevent BitLocker from behaving as expected when you recover a drive, or that may cause BitLocker to start recovery unexpectedly. The article also provides guidance to address these issues. > [!NOTE] > In this article, "recovery password" refers to the 48-digit recovery password and "recovery key" refers to 32-digit recovery key. For more information, see [BitLocker key protectors](./prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors). @@ -31,7 +31,7 @@ Windows prompts you for a BitLocker recovery password. However, you did not conf ### Resolution -The BitLocker and Active Directory Domain Services (AD DS) FAQ addresses situations that may produce this symptom, and provides information about how to resolve the issue: +The BitLocker and Active Directory Domain Services (AD DS) FAQ address situations that may produce this symptom, and provides information about the procedure to resolve the issue: - [What if BitLocker is enabled on a computer before the computer has joined the domain?](./bitlocker-and-adds-faq.yml#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) @@ -60,7 +60,7 @@ You can use either of the following methods to manually back up or synchronize a ## Tablet devices do not support using Manage-bde -forcerecovery to test recovery mode -You have a tablet or slate device, and you try to test BitLocker Recovery by running the following command: +You have a tablet or slate device, and you try to test BitLocker recovery by running the following command: ```console Manage-bde -forcerecovery @@ -73,7 +73,7 @@ However, after you enter the recovery password, the device cannot start. > [!IMPORTANT] > Tablet devices do not support the **manage-bde -forcerecovery** command. -This issue occurs because the Windows Boot Manager cannot process touch input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch input. +This issue occurs because the Windows Boot Manager cannot process touch-input during the pre-boot phase of startup. If Boot Manager detects that the device is a tablet, it redirects the startup process to the Windows Recovery Environment (WinRE), which can process touch-input. If WindowsRE detects the TPM protector on the hard disk, it does a PCR reseal. However, the **manage-bde -forcerecovery** command deletes the TPM protectors on the hard disk. Therefore, WinRE cannot reseal the PCRs. This failure triggers an infinite BitLocker recovery cycle and prevents Windows from starting. @@ -103,7 +103,7 @@ To resolve the restart loop, follow these steps: ## After you install UEFI or TPM firmware updates on Surface, BitLocker prompts for the recovery password -You have a Surface device that has BitLocker Drive Encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. +You have a Surface device that has BitLocker drive encryption turned on. You update the firmware of the device TPM or install an update that changes the signature of the system firmware. For example, you install the Surface TPM (IFX) update. You experience one or more of the following symptoms on the Surface device: @@ -115,14 +115,14 @@ You experience one or more of the following symptoms on the Surface device: This issue occurs if the Surface device TPM is configured to use Platform Configuration Register (PCR) values other than the default values of PCR 7 and PCR 11. For example, the following settings can configure the TPM this way: -- Secure Boot is turned off. -- PCR values have been explicitly defined, such as by Group Policy. +- Secure boot is turned off. +- PCR values have been explicitly defined, such as by group policy. Devices that support Connected Standby (also known as *InstantGO* or *Always On, Always Connected PCs*), including Surface devices, must use PCR 7 of the TPM. In its default configuration on such systems, BitLocker binds to PCR 7 and PCR 11 if PCR 7 and Secure Boot are correctly configured. For more information, see "About the Platform Configuration Register (PCR)" at [BitLocker Group Policy Settings](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj679890(v=ws.11)#about-the-platform-configuration-register-pcr)). ### Resolution -To verify the PCR values that are in use on a device, open and elevated Command Prompt window and run the following command: +To verify the PCR values that are in use on a device, open an elevated Command Prompt window and run the following command: ```console manage-bde.exe -protectors -get : @@ -170,7 +170,7 @@ To do this, follow these steps: 1. When you are prompted, enter the BitLocker recovery password that you obtained in step 1. > [!NOTE] -> After you disable the TPM protectors, BitLocker Drive Encryption no longer protects your device. To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +> After you disable the TPM protectors, BitLocker drive encryption no longer protects your device. To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. #### Step 2: Use Surface BMR to recover data and reset your device @@ -193,9 +193,9 @@ To recover data from your Surface device if you cannot start Windows, follow ste #### Step 3: Restore the default PCR values -To prevent this issue from recurring, we strongly recommend that you restore the default configuration of Secure Boot and the PCR values. +To prevent this issue from recurring, we strongly recommend that you restore the default configuration of secure boot and the PCR values. -To enable Secure Boot on a Surface device, follow these steps: +To enable secure boot on a Surface device, follow these steps: 1. Suspend BitLocker. to do this, open an elevated Windows PowerShell window, and run the following cmdlet: @@ -212,6 +212,7 @@ To enable Secure Boot on a Surface device, follow these steps: 1. Open an elevated PowerShell window, and run the following cmdlet: ```powershell + Resume-BitLocker -MountPoint ":" ``` @@ -252,7 +253,6 @@ To suspend BitLocker while you install TPM or UEFI firmware updates: Suspend-BitLocker -MountPoint ":" -RebootCount 0 ``` - In this cmdlet <*DriveLetter*> is the letter that is assigned to your drive. 1. Install the Surface device driver and firmware updates. @@ -263,7 +263,7 @@ To suspend BitLocker while you install TPM or UEFI firmware updates: Resume-BitLocker -MountPoint ":" ``` -To re-enable BitLocker Drive Encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. +To re-enable BitLocker drive encryption, select **Start**, type **Manage BitLocker**, and then press Enter. Follow the steps to encrypt your drive. ## After you install an update to a Hyper V-enabled computer, BitLocker prompts for the recovery password and returns error 0xC0210000 @@ -341,5 +341,5 @@ For more information about this technology, see [Windows Defender System Guard: To resolve this issue, do one of the following: -- Remove any device that uses TPM 1.2 from any group that is subject to Group Policy Objects (GPOs) that enforce Secure Launch. +- Remove any device that uses TPM 1.2 from any group that is subject to GPOs that enforce secure launch. - Edit the **Turn On Virtualization Based Security** GPO to set **Secure Launch Configuration** to **Disabled**. diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md index 680cbb7c42..aec78e2149 100644 --- a/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md +++ b/windows/security/information-protection/bitlocker/ts-bitlocker-tpm-issues.md @@ -18,17 +18,17 @@ ms.custom: bitlocker # BitLocker and TPM: other known issues -This article describes common issues that relate directly to the Trusted Platform Module (TPM), and provides guidance to address these issues. +This article describes common issues that relate directly to the trusted platform module (TPM), and provides guidance to address these issues. -## Azure AD: Windows Hello for Business and single sign-on do not work +## Azure AD: Windows Hello for Business and single sign-on don't work -You have an Azure Active Directory (Azure AD)-joined client computer that cannot authenticate correctly. You experience one or more of the following symptoms: +You have an Azure Active Directory (Azure AD)-joined client computer that can't authenticate correctly. You experience one or more of the following symptoms: -- Windows Hello for Business does not work. +- Windows Hello for Business doesn't work. - Conditional access fails. -- Single sign-on (SSO) does not work. +- Single sign-on (SSO) doesn't work. -Additionally, the computer logs an entry for Event ID 1026, which resembles the following: +Additionally, the computer logs the following entry for Event ID 1026: > Log Name: System > Source: Microsoft-Windows-TPM-WMI @@ -46,27 +46,27 @@ Additionally, the computer logs an entry for Event ID 1026, which resembles the ### Cause -This event indicates that the TPM is not ready or has some setting that prevents access to the TPM keys. +This event indicates that the TPM isn't ready or has some setting that prevents access to the TPM keys. -Additionally, the behavior indicates that the client computer cannot obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). +Additionally, the behavior indicates that the client computer can't obtain a [Primary Refresh Token (PRT)](/azure/active-directory/devices/concept-primary-refresh-token). ### Resolution -To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT was not issued. This may indicate that the computer could not present its certificate for authentication. +To verify the status of the PRT, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd) to collect information. In the tool output, verify that either **User state** or **SSO state** contains the **AzureAdPrt** attribute. If the value of this attribute is **No**, the PRT wasn't issued. This may indicate that the computer couldn't present its certificate for authentication. To resolve this issue, follow these steps to troubleshoot the TPM: 1. Open the TPM management console (tpm.msc). To do this, select **Start**, and enter **tpm.msc** in the **Search** box. 1. If you see a notice to either unlock the TPM or reset the lockout, follow those instructions. -1. If you do not see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. -1. Contact the hardware vendor to determine whether there is a known fix for the issue. -1. If you still cannot resolve the issue, clear and re-initialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +1. If you don't see such a notice, review the BIOS settings of the computer for any setting that you can use to reset or disable the lockout. +1. Contact the hardware vendor to determine whether there's a known fix for the issue. +1. If you still can't resolve the issue, clear and reinitialize the TPM. To do this, follow the instructions in [Troubleshoot the TPM: Clear all the keys from the TPM](../tpm/initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). > [!WARNING] > Clearing the TPM can cause data loss. -## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider is not ready for use +## TPM 1.2 Error: Loading the management console failed. The device that is required by the cryptographic provider isn't ready for use -You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive a message that resembles the following: +You have a Windows 11 or Windows 10 version 1703-based computer that uses TPM version 1.2. When you try to open the TPM management console, you receive the following message: > Loading the management console failed. The device that is required by the cryptographic provider is not ready for use. > HRESULT 0x800900300x80090030 - NTE\_DEVICE\_NOT\_READY @@ -83,26 +83,26 @@ These symptoms indicate that the TPM has hardware or firmware issues. To resolve this issue, switch the TPM operating mode from version 1.2 to version 2.0. -If this does not resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. +If this doesn't resolve the issue, consider replacing the device motherboard. After you replace the motherboard, switch the TPM operating mode from version 1.2 to version 2.0. -## Devices do not join hybrid Azure AD because of a TPM issue +## Devices don't join hybrid Azure AD because of a TPM issue -You have a device that you are trying to join to a hybrid Azure AD. However, the join operation appears to fail. +You have a device that you're trying to join to a hybrid Azure AD. However, the join operation appears to fail. To verify that the join succeeded, use the [dsregcmd /status command](/azure/active-directory/devices/troubleshoot-device-dsregcmd). In the tool output, the following attributes indicate that the join succeeded: - **AzureAdJoined: YES** - **DomainName: \<*on-prem Domain name*\>** -If the value of **AzureADJoined** is **No**, the join failed. +If the value of **AzureADJoined** is **No**, the join operation failed. ### Causes and Resolutions -This issue may occur when the Windows operating system is not the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: +This issue may occur when the Windows operating system isn't the owner of the TPM. The specific fix for this issue depends on which errors or events you experience, as shown in the following table: |Message |Reason | Resolution| | - | - | - | -|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that is not joined to or registered in Azure AD or hybrid Azure AD. | +|NTE\_BAD\_KEYSET (0x80090016/-2146893802) |TPM operation failed or was invalid |This issue was probably caused by a corrupted sysprep image. Make sure that you create the sysprep image by using a computer that isn't joined to or registered in Azure AD or hybrid Azure AD. | |TPM\_E\_PCP\_INTERNAL\_ERROR (0x80290407/-2144795641) |Generic TPM error. |If the device returns this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | |TPM\_E\_NOTFIPS (0x80280036/-2144862154) |The FIPS mode of the TPM is currently not supported. |If the device gives this error, disable its TPM. Windows 10, version 1809 and later versions, or Windows 11 automatically detect TPM failures and finish the hybrid Azure AD join without using the TPM. | |NTE\_AUTHENTICATION\_IGNORED (0x80090031/-2146893775) |The TPM is locked out. |This error is transient. Wait for the cooldown period, and then retry the join operation. | diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index cebb1539b9..7fe79ded9f 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -23,66 +23,66 @@ ms.date: 04/02/2019 - Windows Server 2016 - Azure Stack HCI -Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. +Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management. -By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. +By offloading the cryptographic operations to a hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. -Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012. +Encrypted hard drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to encrypted hard drives without additional modification, beginning with Windows 8 and Windows Server 2012. -Encrypted Hard Drives provide: +Encrypted hard drives provide: - **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. - **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system - **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive. - **Lower cost of ownership**: There's no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process. -Encrypted Hard Drives are supported natively in the operating system through the following mechanisms: +Encrypted hard drives are supported natively in the operating system through the following mechanisms: -- **Identification**: The operating system can identify that the drive is an Encrypted Hard Drive device type -- **Activation**: The operating system disk management utility can activate, create and map volumes to ranges/bands as appropriate -- **Configuration**: The operating system can create and map volumes to ranges/bands as appropriate -- **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE) -- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience. +- **Identification**: The operating system identifies that the drive is an Encrypted hard drive device type. +- **Activation**: The operating system disk management utility activates, creates and maps volumes to ranges/bands as appropriate. +- **Configuration**: The operating system creates and maps volumes to ranges/bands as appropriate. +- **API**: API support for applications to manage Encrypted hard drives independent of BitLocker drive encryption (BDE). +- **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end-user experience. >[!WARNING] ->Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment. +>Self-encrypting hard drives and encrypted hard drives for Windows are not the same type of devices. Encrypted hard drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-encrypting hard drives do not have these requirements. It is important to confirm that the device type is an encrypted hard drive for Windows when planning for deployment. If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). ## System Requirements -To use Encrypted Hard Drives, the following system requirements apply: +To use encrypted hard drives, the following system requirements apply: -For an Encrypted Hard Drive used as a **data drive**: +For an encrypted hard drive used as a **data drive**: - The drive must be in an uninitialized state. - The drive must be in a security inactive state. -For an Encrypted Hard Drive used as a **startup drive**: +For an encrypted hard drive used as a **startup drive**: - The drive must be in an uninitialized state. - The drive must be in a security inactive state. - The computer must be UEFI 2.3.1 based and have the EFI\_STORAGE\_SECURITY\_COMMAND\_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive). -- The computer must have the Compatibility Support Module (CSM) disabled in UEFI. +- The computer must have the compatibility support module (CSM) disabled in UEFI. - The computer must always boot natively from UEFI. >[!WARNING] ->All Encrypted Hard Drives must be attached to non-RAID controllers to function properly. +>All encrypted hard drives must be attached to non-RAID controllers to function properly. ## Technical overview -Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later, Encrypted Hard Drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an Encrypted Hard Drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. +Rapid encryption in BitLocker directly addresses the security needs of enterprises while offering significantly improved performance. In versions of Windows earlier than Windows Server 2012, BitLocker required a two-step process to complete read/write requests. In Windows Server 2012, Windows 8, or later versions, encrypted hard drives offload the cryptographic operations to the drive controller for much greater efficiency. When the operating system identifies an encrypted hard drive, it activates the security mode. This activation lets the drive controller generate a media key for every volume that the host computer creates. This media key, which is never exposed outside the disk, is used to rapidly encrypt or decrypt every byte of data that is sent or received from the disk. -## Configuring Encrypted Hard Drives as Startup drives +## Configuring encrypted hard drives as startup drives -Configuration of Encrypted Hard Drives as startup drives is done using the same methods as standard hard drives. These methods include: +Configuration of encrypted hard drives as startup drives is done using the same methods as standard hard drives. These methods include: - **Deploy from media**: Configuration of Encrypted Hard Drives happens automatically through the installation process. - **Deploy from network**: This deployment method involves booting a Windows PE environment and using imaging tools to apply a Windows image from a network share. Using this method, the Enhanced Storage optional component needs to be included in the Windows PE image. You can enable this component using Server Manager, Windows PowerShell, or the DISM command line tool. If this component isn't present, configuration of Encrypted Hard Drives won't work. - **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](/windows-hardware/customize/desktop/unattend/microsoft-windows-enhancedstorage-adm-tcgsecurityactivationdisabled) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives. - **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators won't work. -## Configuring hardware-based encryption with Group Policy +## Configuring hardware-based encryption with group policy There are three related Group Policy settings that help you manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: @@ -90,22 +90,21 @@ There are three related Group Policy settings that help you manage how BitLocker - [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-removable-data-drives) - [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#configure-use-of-hardware-based-encryption-for-operating-system-drives) -## Encrypted Hard Drive Architecture +## Encrypted hard drive architecture -Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK). +Encrypted hard drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the data encryption key (DEK) and the authentication key (AK). The Data Encryption Key is the key used to encrypt all of the data on the drive. The drive generates the DEK and it never leaves the device. It's stored in an encrypted format at a random location on the drive. If the DEK is changed or erased, data encrypted using the DEK is irrecoverable. -The Authentication Key is the key used to unlock data on the drive. A hash of the key is stored on drive and requires confirmation to decrypt the DEK. +The AK is the key used to unlock data on the drive. A hash of the key is stored on the drive and requires confirmation to decrypt the DEK. -When a computer with an Encrypted Hard Drive is in a powered off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the Authentication Key decrypts the Data Encryption Key. Once the Authentication Key decrypts the Data -Encryption Key, read-write operations can take place on the device. +When a computer with an encrypted hard drive is in a powered-off state, the drive locks automatically. As a computer powers on, the device remains in a locked state and is only unlocked after the AK decrypts the DEK. Once the AK decrypts the DEK, read-write operations can take place on the device. When writing data to the drive, it passes through an encryption engine before the write operation completes. Likewise, reading data from the drive requires the encryption engine to decrypt the data before passing that data back to the user. In the event that the DEK needs to be changed or erased, the data on the drive doesn't need to be re-encrypted. A new Authentication Key needs to be created and it will re-encrypt the DEK. Once completed, the DEK can now be unlocked using the new AK and read-writes to the volume can continue. -## Re-configuring Encrypted Hard Drives +## Re-configuring encrypted hard drives -Many Encrypted Hard Drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: +Many encrypted hard drive devices come pre-configured for use. If reconfiguration of the drive is required, use the following procedure after removing all available volumes and reverting the drive to an uninitialized state: 1. Open Disk Management (diskmgmt.msc) 2. Initialize the disk and select the appropriate partition style (MBR or GPT) diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 1220e20185..f7bfc44de4 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -50,7 +50,7 @@ This table includes all available attributes/elements for the **Log** element. T |Attribute/Element |Value type |Description | |----------|-----------|------------| |ProviderType |String |This is always **EDPAudit**. | -|LogType |String |Includes:
        • **DataCopied.** Work data is copied or shared to a personal location.
        • **ProtectionRemoved.** WIP protection is removed from a Work-defined file.
        • **ApplicationGenerated.** A custom audit log provided by an app.
        | +|LogType |String |Includes:
        • **DataCopied.** Work data is copied or shared to a personal location.
        • **ProtectionRemoved.** Windows Information Protection is removed from a Work-defined file.
        • **ApplicationGenerated.** A custom audit log provided by an app.
        | |TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. | |Policy |String |How the work data was shared to the personal location:
        • **CopyPaste.** Work data was pasted into a personal location or app.
        • **ProtectionRemoved.** Work data was changed to be unprotected.
        • **DragDrop.** Work data was dropped into a personal location or app.
        • **Share.** Work data was shared with a personal location or app.
        • **NULL.** Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).
        | |Justification |String |Not implemented. This will always be either blank or NULL.

        **Note**
        Reserved for future use to collect the user justification for changing from **Work** to **Personal**. | @@ -160,7 +160,7 @@ Here are a few examples of responses from the Reporting CSP. ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) -Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer. +Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer. **To view the WIP events in the Event Viewer** diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 8a0ecac521..fdbf865d8a 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -65,12 +65,12 @@ The **Configure Windows Information Protection settings** page appears, where yo ## Add app rules to your policy -During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!IMPORTANT] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

        Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

        Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ### Add a store app rule to your policy For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -278,7 +278,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules** The file is imported and the apps are added to your **App Rules** list. ### Exempt apps from WIP restrictions -If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. +If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a1dba47f5e..21a45af6ca 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -37,7 +37,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. +- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -75,10 +75,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft To Do > [!NOTE] -> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. +> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. ## List of WIP-work only apps from Microsoft -Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions. +Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions. - Skype for Business @@ -102,7 +102,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** Microsoft.Office.PowerPoint
        **App Type:** Universal app | | OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** Microsoft.Office.OneNote
        **App Type:** Universal app | | Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** microsoft.windowscommunicationsapps
        **App Type:** Universal app | -| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
        We don't recommend setting up Office by using individual paths or publisher rules. | +| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.
        We don't recommend setting up Office by using individual paths or publisher rules. | | Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** Microsoft.Windows.Photos
        **App Type:** Universal app | | Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** Microsoft.ZuneMusic
        **App Type:** Universal app | | Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
        **Product Name:** Microsoft.ZuneVideo
        **App Type:** Universal app | diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 5462ca7f17..18726f1c02 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium **Applies to:** - Windows 10, version 1607 and later -This following list provides info about the most common problems you might encounter while running WIP in your organization. +This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization. - **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - **How it appears**: @@ -33,12 +33,12 @@ This following list provides info about the most common problems you might encou We strongly recommend educating employees about how to limit or eliminate the need for this decryption. -- **Limitation**: Direct Access is incompatible with WIP. - - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. +- **Limitation**: Direct Access is incompatible with Windows Information Protection. + - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. - **Workaround**: We recommend that you use VPN for client access to your intranet resources. > [!NOTE] - > VPN is optional and isn’t required by WIP. + > VPN is optional and isn’t required by Windows Information Protection. - **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings. - **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. @@ -48,7 +48,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. -- **Limitation**: WIP is designed for use by a single user per device. +- **Limitation**: Windows Information Protection is designed for use by a single user per device. - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. - **Workaround**: We recommend only having one user per managed device. @@ -67,14 +67,14 @@ This following list provides info about the most common problems you might encou - **Limitation**: Changing your primary Corporate Identity isn’t supported. - **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. - - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. + - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. -- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP. +- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection. - **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file. - **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. > [!NOTE] - > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). + > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). - **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. - **How it appears**: @@ -83,23 +83,23 @@ This following list provides info about the most common problems you might encou - Local **Work** data copied to the WIP-managed device remains **Work** data. - **Work** data that is copied between two apps in the same session remains ** data. - - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. + - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default. - **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. - **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. - **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload. - **Limitation**: ActiveX controls should be used with caution. - - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. + - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection. - **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). -- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP. - - **How it appears**:Trying to save or transfer WIP files to ReFS will fail. +- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection. + - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail. - **Workaround**: Format drive for NTFS, or use a different drive. -- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: +- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**: - AppDataRoaming - Desktop - StartMenu @@ -116,10 +116,10 @@ This following list provides info about the most common problems you might encou
        - - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. + - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager. - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders). - If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. + If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip). @@ -134,7 +134,7 @@ This following list provides info about the most common problems you might encou - **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. - **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. -- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. +- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection. - **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. - **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: @@ -150,6 +150,6 @@ This following list provides info about the most common problems you might encou > [!NOTE] > -> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. +> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. > > - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index cf0c2bbce8..6c2ccfde53 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -13,7 +13,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/05/2019 +ms.date: 05/25/2022 ms.reviewer: --- @@ -26,8 +26,8 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| -|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. | +|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

        Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

        Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index aabc6b7080..89d703af97 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -31,14 +31,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. >[!IMPORTANT] ->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. +>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic. ## Video: Protect enterprise data from being accidentally copied to the wrong place > [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh] ## Prerequisites -You’ll need this software to run WIP in your enterprise: +You’ll need this software to run Windows Information Protection in your enterprise: |Operating system | Management solution | |-----------------|---------------------| @@ -70,7 +70,7 @@ After the type of protection is set, the creating app encrypts the document so t Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device. ## Benefits of WIP -WIP provides: +Windows Information Protection provides: - Obvious separation between personal and corporate data, without requiring employees to switch environments or apps. - Additional data protection for existing line-of-business apps without a need to update the apps. @@ -79,12 +79,12 @@ WIP provides: - Use of audit reports for tracking issues and remedial actions. -- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company. +- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company. ## Why use WIP? -WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). +Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune). -- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. +- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data. - **Manage your enterprise documents, apps, and encryption modes.** @@ -99,21 +99,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. + - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media. - Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document. + Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document. - - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. + - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally. - - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. + - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. -- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. +- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
        Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works -WIP helps address your everyday challenges in the enterprise. Including: +Windows Information Protection helps address your everyday challenges in the enterprise. Including: - Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down. @@ -124,7 +124,7 @@ WIP helps address your everyday challenges in the enterprise. Including: - Helping control the network and data access and data sharing for apps that aren’t enterprise aware ### Enterprise scenarios -WIP currently addresses these enterprise scenarios: +Windows Information Protection currently addresses these enterprise scenarios: - You can encrypt enterprise data on employee-owned and corporate-owned devices. - You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data. @@ -134,21 +134,21 @@ WIP currently addresses these enterprise scenarios: - Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required. ### WIP-protection modes -Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. +Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. -Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. >[!NOTE] >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). -You can set your WIP policy to use 1 of 4 protection and management modes: +You can set your Windows Information Protection policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| -|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| -|Off |WIP is turned off and doesn't help to protect or audit your data.

        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. | +|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| +|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| +|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.

        After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. | ## Turn off WIP You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied. diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index d5400291be..c55f4fe75b 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -25,7 +25,7 @@ ms.reviewer: >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index cd707f5044..84dae48f11 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -29,7 +29,7 @@ Use Task Manager to check the context of your apps while running in Windows Info ## Viewing the Enterprise Context column in Task Manager You need to add the Enterprise Context column to the **Details** tab of the Task Manager. -1. Make sure that you have an active WIP policy deployed and turned on in your organization. +1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization. 2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**. @@ -50,7 +50,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources. -- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). +- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components). > [!Important] > Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 310538cbee..305b40e22f 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -5,9 +5,6 @@ ms.reviewer: ms.topic: article manager: dansimp ms.author: deniseb -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: denisebmsft ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md index 0d118520fc..1dc5324f16 100644 --- a/windows/security/security-foundations.md +++ b/windows/security/security-foundations.md @@ -5,9 +5,6 @@ ms.reviewer: ms.topic: article manager: dansimp ms.author: deniseb -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: denisebmsft ms.collection: M365-security-compliance ms.prod: m365-security diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index aa92e85a9c..58035d8f4d 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -1,61 +1,21 @@ ### YamlMime:FAQ metadata: title: Advanced security auditing FAQ (Windows 10) - description: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 - ms.reviewer: - ms.author: dansimp + description: This article lists common questions and answers about understanding, deploying, and managing security audit policies. ms.prod: m365-security - ms.mktglfcycl: deploy - ms.sitesec: library - ms.pagetype: security + ms.technology: mde ms.localizationpriority: none author: dansimp + ms.author: dansimp manager: dansimp - audience: ITPro + ms.reviewer: ms.collection: M365-security-compliance ms.topic: faq - ms.date: 11/10/2021 - ms.technology: mde + ms.date: 05/24/2022 + title: Advanced security auditing FAQ -summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - - - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - - - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - - - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) - - - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) - - - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) - - - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) - - - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) - - - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) - - - [How do I ascertain the purpose for accessing a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) - - - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) - - - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) - - - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) - - - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) - - - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) - - - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) - - - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) - +summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. sections: - name: Ignored @@ -70,36 +30,37 @@ sections: - question: | What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration? answer: | - The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. + The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe. - There are a number of additional differences between the security audit policy settings in these two locations. + There are several other differences between the security audit policy settings in these two locations. There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy - Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking. + Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking. - In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. + In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing. - The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** were introduced in Windows 2000. Therefore, they are available in all versions of Windows released since then. The advanced audit policy settings were introduced in Windows Vista and Windows Server 2008. The advanced settings can only be used on computers running Windows 7, Windows Server 2008, and later. + The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows. - question: | What is the interaction between basic audit policy settings and advanced audit policy settings? answer: | - Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. + Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. - Editing and applying the advanced audit policy settings in Local Security Policy modifies the local Group Policy Object (GPO), so changes made here may not be exactly reflected in Auditpol.exe if there are policies from other domain GPOs or logon scripts. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. However, because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain Group Policy settings are reflected as soon as the new policy is applied. + Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied. - > **Important**  Whether you apply advanced audit policies by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. + > [!Important] + > Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting. - If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored. -   + If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored. + - question: | - How are audit settings merged by Group Policy? + How are audit settings merged by group policy? answer: | By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level. - For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level (unless you have taken special steps to apply Group Policy loopback processing). + For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing. - The rules that govern how Group Policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. + The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior. | Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer | @@ -111,74 +72,68 @@ sections: - question: | What is the difference between an object DACL and an object SACL? answer: | - All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: + All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs: - A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access - A system access control list (SACL) that controls how access is audited The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access. - If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing is not configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. + If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied. - question: | Why are audit policies applied on a per-computer basis rather than per user? answer: | In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer. - In addition, because audit policy capabilities can vary between computers running different versions of Windows, the best way to ensure that the audit policy is applied correctly is to base these settings on the computer instead of the user. + Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user. - However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1, but because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. + However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events. - question: | - What are the differences in auditing functionality between versions of Windows? + Are there any differences in auditing functionality between versions of Windows? answer: | - Basic audit policy settings are available in all versions of Windows since Windows 2000, and they can be applied locally or by using Group Policy. Advanced audit policy settings were introduced in Windows Vista and Windows Server 2008, but the settings can only be applied by using logon scripts in those versions. Advanced audit policy settings, which were introduced in Windows 7 and Windows Server 2008 R2, can be configured and applied by using local and domain Group Policy settings. - - - question: | - Can I use advanced audit policies from a domain controller running Windows Server 2003 or Windows 2000 Server? - answer: | - To use advanced audit policy settings, your domain controller must be installed on a computer running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003 with Service Pack 2 (SP2). Windows 2000 Server is not supported. + No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings. - question: | What is the difference between success and failure events? Is something wrong if I get a failure audit? answer: | A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully. - A failure audit event is triggered when a defined action, such as a user logon, is not completed successfully. + A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully. - The appearance of failure audit events in the event log does not necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password. + The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password. - question: | How can I set an audit policy that affects all objects on a computer? answer: | System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL. - Introduced in Windows Server 2008 R2 and Windows 7, security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy (or a single registry setting SACL and a global object access auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. + + Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy. - question: | How do I figure out why someone was able to access a resource? answer: | - Often it is not enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. + Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting. - question: | How do I know when changes are made to access control settings, by whom, and what the changes were? answer: | - To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: + To track access control changes, you need to enable the following settings, which track changes to DACLs: - **Audit File System** subcategory: Enable for success, failure, or success and failure - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor - - In Windows XP and Windows Server 2003, you need to use the **Audit policy change** subcategory. - + - question: | How can I roll back security audit policies from the advanced audit policy to the basic audit policy? answer: | Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings: 1. Set all Advanced Audit Policy subcategories to **Not configured**. - 2. Delete all audit.csv files from the %SYSVOL% folder on the domain controller. + 2. Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller. 3. Reconfigure and apply the basic audit policy settings. - Unless you complete all of these steps, the basic audit policy settings will not be restored. + Unless you complete all of these steps, the basic audit policy settings won't be restored. - question: | How can I monitor if changes are made to audit policy settings? @@ -201,27 +156,25 @@ sections: - question: | What are the best tools to model and manage audit policies? answer: | - The integration of advanced audit policy settings with domain Group Policy, introduced in Windows 7 and Windows Server 2008 R2, is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy Group Policy Objects for a domain can also be used to plan and deploy security audit policies. - On an individual computer, the Auditpol command-line tool can be used to complete many important audit policy–related management tasks. + The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies. + On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks. - In addition, there are a number of computer management products, such as the Audit Collection Services in the Microsoft System Center Operations Manager products, which can be used to collect and filter event data. + There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs). - question: | Where can I find information about all the possible events that I might receive? answer: | - Users who examine the security event log for the first time can be a bit overwhelmed by the number of audit events that are stored there (which can quickly number in the thousands) and by the structured information that is included for each audit event. Additional information about these events, and the settings used to generate them, can be obtained from the following resources: + Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources: - - [Windows 8 and Windows Server 2012 Security Event Details](https://www.microsoft.com/download/details.aspx?id=35753) - - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) - - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?linkid=121868) - - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) + - [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034) + - [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630) + - [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) - question: | Where can I find more detailed information? answer: | To learn more about security audit policies, see the following resources: - - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) - - [Security Monitoring and Attack Detection Planning Guide](https://social.technet.microsoft.com/wiki/contents/articles/325.advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx) - - [Security Audit Events for Windows 7 and Windows Server 2008 R2](https://go.microsoft.com/fwlink/p/?linkid=157780) - - [Security Audit Events for Windows Server 2008 and Windows Vista](https://go.microsoft.com/fwlink/p/?LinkId=121868) + - [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) + - [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753) + - [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561) diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 7057f8c90f..564c7cdfe4 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,14 +1,9 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. -ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4 ms.reviewer: manager: dansimp -keywords: font blocking, untrusted font blocking, block fonts, untrusted fonts ms.prod: m365-security -ms.mktglfcycl: deploy -ms.pagetype: security -ms.sitesec: library author: dansimp ms.author: dansimp ms.date: 08/14/2017 diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 778a829c8b..68328931ed 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -2,7 +2,6 @@ title: Federal Information Processing Standard (FIPS) 140 Validation description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140. ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 5d606c7889..2159488c70 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -1,14 +1,11 @@ --- title: Get support description: Frequently asked question about how to get support for Windows baselines, the Security Compliance Toolkit (SCT), and related topics in your organization. -keywords: virtualization, security, malware ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp author: dulcemontemayor manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/25/2018 diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index c76ead4afc..02f00be3f6 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,17 +1,12 @@ --- title: Windows threat protection description: Describes the security capabilities in Windows client focused on threat protection -keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.author: dansimp author: dansimp ms.localizationpriority: medium manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 406ee97c59..c8fafe64a7 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,9 +1,7 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. -keywords: MBSA, security, removal ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp author: dansimp diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index e99bc8205f..b641427ea4 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,6 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 03/14/2022 ms.reviewer: manager: dansimp ms.custom: asr @@ -45,7 +44,7 @@ sections: To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - - It must be a FQDN. A simple IP address will not work. + - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | @@ -54,7 +53,7 @@ sections: Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. - question: | - Which Input Method Editors (IME) in 19H1 are not supported? + Which Input Method Editors (IME) in 19H1 aren't supported? answer: | The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard: @@ -74,17 +73,15 @@ sections: - question: | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? answer: | - This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - question: | What is the WDAGUtilityAccount local account? answer: | - WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error: + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error: **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - We recommend that you do not modify this account. - - question: | How do I trust a subdomain in my site list? answer: | @@ -93,35 +90,35 @@ sections: - question: | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? answer: | - When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). + When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md). - question: | Is there a size limit to the domain lists that I need to configure? answer: | - Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 16383-B limit. + Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit. - question: | Why does my encryption driver break Microsoft Defender Application Guard? answer: | - Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why do the Network Isolation policies in Group Policy and CSP look different? answer: | - There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. - Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources** - Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)** - - For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + - For EnterpriseNetworkDomainNames, there's no mapped CSP policy. - Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). + Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**). - question: | Why did Application Guard stop working after I turned off hyperthreading? answer: | - If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements. - question: | Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index 2b7a3193ab..ffd97aa5cd 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -2,12 +2,9 @@ title: Microsoft Defender Application Guard Extension description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium -author: martyav -ms.author: v-maave +author: aczechowski +ms.author: aaroncz ms.date: 09/09/2021 ms.reviewer: manager: dansimp @@ -60,24 +57,24 @@ Both Chrome and Firefox have their own browser-specific group policies. We recom #### Chrome policies -These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). +These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`. Policy name | Values | Recommended setting | Reason -|-|-|- -[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
        `1` = Disabled
        `2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. -[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
        `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. -[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
        `true` or `1` = Enabled

        **Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled
        `1` = Disabled
        `2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
        `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
        `true` or `1` = Enabled

        **Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. [ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. #### Firefox policies -These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). +These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`. Policy name | Values | Recommended setting | Reason -|-|-|- -[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
        `true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard -[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
        `true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security -[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
        `true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed
        `true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it. ## Troubleshooting guide @@ -85,15 +82,15 @@ Policy name | Values | Recommended setting | Reason Error message | Cause | Actions -|-|- -Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot
        2. If the companion app is already installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and re-install the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot
        2. If the companion app is already installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and reinstall the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb)
        2. Retry the operation Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser
        2. Check for updates in both the Microsoft store and the respective web store for the affected browser -Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed
        2. If the companion app is installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and re-install the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed
        2. If the companion app is installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and reinstall the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb)
        2. Retry the operation -Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed.
        2. If the companion app is installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and re-install the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser -Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser -Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser -Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb)
        2. Check if Edge is working
        3. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed.
        2. If the companion app is installed, reboot and see if that resolves the error
        3. If you still see the error after rebooting, uninstall and reinstall the companion app
        4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb)
        2. Check if Microsoft Edge is working
        3. Retry the operation ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 8b9946ec0d..60dacaca16 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -12,6 +12,7 @@ ms.localizationpriority: high ms.reviewer: manager: dansimp ms.technology: windows-sec +adobe-target: true --- # Microsoft Defender SmartScreen @@ -26,7 +27,7 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and **Microsoft Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. @@ -40,24 +41,24 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: -- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) +- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) -- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. +- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. -- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. +- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. -- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. +- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. -- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). +- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). -- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. ## Submit files to Microsoft Defender SmartScreen for review -If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](../intelligence/submission-guide.md). +If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md). When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. @@ -66,7 +67,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M ## Viewing Microsoft Defender SmartScreen anti-phishing events > [!NOTE] -> No SmartScreen events will be logged when using Microsoft Edge version 77 or later. +> No SmartScreen events will be logged when using Microsoft Edge version 77 or later. When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). @@ -93,3 +94,4 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true - [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) - [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings) +- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference) \ No newline at end of file diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index df8eacefc1..9be071fa44 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -2,7 +2,6 @@ title: Microsoft Security Development Lifecycle description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 33712bcefa..681a9ae413 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -3,11 +3,7 @@ manager: dansimp ms.author: dansimp title: Override Process Mitigation Options (Windows 10) description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. -keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options ms.prod: m365-security -ms.mktglfcycl: deploy -ms.pagetype: security -ms.sitesec: library author: dulcemontemayor ms.localizationpriority: medium ms.technology: windows-sec diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 9d7d8ad4bc..436d94ab00 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -2,9 +2,6 @@ title: Mitigate threats by using Windows 10 security features (Windows 10) description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.reviewer: diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 087bf0dbc9..ed70e30816 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -1,15 +1,10 @@ --- title: Control the health of Windows 10-based devices (Windows 10) description: This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices. -ms.assetid: 45DB1C41-C35D-43C9-A274-3AD5F31FE873 ms.reviewer: manager: dansimp ms.author: dansimp -keywords: security, BYOD, malware, device health attestation, mobile ms.prod: m365-security -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security, devices author: dulcemontemayor ms.date: 10/13/2017 ms.localizationpriority: medium diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index ccaba0be7d..0c1396e74f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 ms.technology: windows-sec --- @@ -86,7 +85,7 @@ None. Changes to this policy become effective without a restart when saved local ### Group Policy -Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. +Setting and deploying this policy using Group Policy takes precedence over the setting on the local device. If the Group Policy is set to **Not Configured**, local settings will apply. The policy is applicable to domain controllers only. ### Auditing diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 9376277ddf..411b14fcba 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -1,14 +1,10 @@ --- title: Use Windows Event Forwarding to help with intrusion detection (Windows 10) description: Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. -ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F ms.reviewer: manager: dansimp ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dulcemontemayor ms.date: 02/28/2019 ms.localizationpriority: medium diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index eec6f18251..5901726822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 ms.technology: windows-sec --- @@ -24,10 +23,10 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2012 R2 and later ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. @@ -35,11 +34,14 @@ Before completing this procedure, you should have exported an AppLocker policy. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. ->**Caution:**  Importing a policy will overwrite the existing policy on that computer. +> **Caution:**  Importing a policy will overwrite the existing policy on that computer. **To import an AppLocker policy** 1. From the AppLocker console, right-click **AppLocker**, and then click **Import Policy**. + 2. In the **Import Policy** dialog box, locate the file that you exported, and then click **Open**. + 3. The **Import Policy** dialog box will warn you that importing a policy will overwrite the existing rules and enforcement settings. If acceptable, click **OK** to import and overwrite the policy. + 4. The **AppLocker** dialog box will notify you of how many rules were overwritten and imported. Click **OK**. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 3203610df6..d7e1d5636c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -14,7 +14,6 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: dansimp manager: dansimp -ms.date: 03/22/2022 ms.technology: windows-sec --- @@ -45,6 +44,9 @@ To create effective WDAC deny policies, it's crucial to understand how WDAC pars 5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. +> [!NOTE] +> If your WDAC policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](use-windows-defender-application-control-with-intelligent-security-graph.md#how-does-the-integration-between-wdac-and-the-intelligent-security-graph-work). + ## Interaction with Existing Policies ### Adding Allow Rules diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..bfdae01ad9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,63 +1,64 @@ --- title: Understanding Application Control event IDs (Windows) description: Learn what different Windows Defender Application Control event IDs signify. -keywords: security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.technology: windows-sec ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 04/30/2022 -ms.technology: windows-sec +ms.date: 05/09/2022 +ms.topic: reference --- # Understanding Application Control events -A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: +**Applies to** -- Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** +- Windows 10 +- Windows 11 +- Windows Server 2016 and later (limited events) + +A Windows Defender Application Control policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: + +- Events about Application Control policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** - Events about the control of MSI installers, scripts, and COM objects appear in **Applications and Services logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script** > [!NOTE] > These event IDs are not included on Windows Server Core edition. -## WDAC events found in the Microsoft Windows CodeIntegrity Operational log +## Windows CodeIntegrity Operational log | Event ID | Explanation | |--------|-----------| -| 3004 | This event isn't common and may occur with or without a WDAC policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. | -| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option *20 Enabled:Revoked Expired As Unsigned* in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. | -| 3034 | This event isn't common. It is the audit mode equivalent of event 3033 described above. | -| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. | -| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. | -| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the "Correlation ActivityID" found in the "System" portion of the event. | -| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. | +| 3004 | This event isn't common and may occur with or without an Application Control policy present. It typically indicates a kernel driver tried to load with an invalid signature. For example, the file may not be WHQL-signed on a system where WHQL is required. | +| 3033 | This event isn't common. It often means the file's signature is revoked or expired. Try using option `20 Enabled:Revoked Expired As Unsigned` in your policy along with a non-signature rule (for example, hash) to address issues with revoked or expired certs. | +| 3034 | This event isn't common. It's the audit mode equivalent of event 3033 described above. | +| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | +| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | +| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. The event shows the total number of signatures found and an index value to identify the current signature. Unsigned files produce a single 3089 event with TotalSignatureCount 0. 3089 events are correlated with 3004, 3033, 3034, 3076 and 3077 events. You can match the events using the `Correlation ActivityID` found in the **System** portion of the event. | +| 3099 | Indicates that a policy has been loaded. This event also includes information about the Application Control policy options that were specified by the policy. | -## WDAC events found in the Microsoft Windows AppLocker MSI and Script log +## Windows AppLocker MSI and Script log | Event ID | Explanation | |--------|-----------| -| 8028 | This event indicates that a script host, such as PowerShell, queried WDAC about a file the script host was about to run. Since the WDAC policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts do not integrate with WDAC. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | +| 8028 | This event indicates that a script host, such as PowerShell, queried Application Control about a file the script host was about to run. Since the policy was in audit mode, the script or MSI file should have run. Some script hosts may have additional information in their logs. Note: Most third-party script hosts don't integrate with Application Control. Consider the risks from unverified scripts when choosing which script hosts you allow to run. | | 8029 | This event is the enforcement mode equivalent of event 8028 described above. Note: While this event says that a script was blocked, the actual script enforcement behavior is implemented by the script host. The script host may allow the file to run with restrictions and not block the file outright. For example, PowerShell will allow a script to run but only in [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes.md). | | 8036| COM object was blocked. To learn more about COM object authorization, see [Allow COM object registration in a Windows Defender Application Control policy](allow-com-object-registration-in-windows-defender-application-control-policy.md). | -| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the "Correlation ActivityID" found in the "System" portion of the event. | +| 8038 | Signing information event correlated with either an 8028 or 8029 event. One 8038 event is generated for each signature of a script file. Contains the total number of signatures on a script file and an index as to which signature it is. Unsigned script files will generate a single 8038 event with TotalSignatureCount 0. 8038 events are correlated with 8028 and 8029 events and can be matched using the `Correlation ActivityID` found in the **System** portion of the event. | ## Diagnostic events for Intelligent Security Graph (ISG) and Managed Installer (MI) -Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any WDAC policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events do not necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above. +Events 3090, 3091 and 3092 prove helpful diagnostic information when the ISG or MI option is enabled by any Application Control policy. These events can help you debug why something was allowed/denied based on managed installer or ISG. These events don't necessarily indicate a problem but should be reviewed in context with other events like 3076 or 3077 described above. | Event ID | Explanation | |--------|---------| | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. | -| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. | +| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. | | 3092 | This event is the enforcement mode equivalent of 3091. | The above events are reported per active policy on the system, so you may see multiple events for the same file. @@ -72,8 +73,8 @@ The following information is found in the details for 3090, 3091, and 3092 event | PassesManagedInstaller | Indicates whether the file originated from a MI | | SmartlockerEnabled | Indicates whether the specified policy enables ISG trust | | PassesSmartlocker | Indicates whether the file had positive reputation according to the ISG | -| AuditEnabled | True if the WDAC policy is in audit mode, otherwise it is in enforce mode | -| PolicyName | The name of the WDAC policy to which the event applies | +| AuditEnabled | True if the Application Control policy is in audit mode, otherwise it is in enforce mode | +| PolicyName | The name of the Application Control policy to which the event applies | ### Enabling ISG and MI diagnostic events @@ -87,29 +88,30 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ## Event ID 3099 Options -The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. +The Application Control policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. To derive and parse these values, follow the below workflow. - Access Event Viewer. - Access the Code integrity 3099 event. - Access the details pane. -- Identify the hex code listed in the “Options” field. -- Convert the hex code to binary +- Identify the hex code listed in the "Options" field. +- Convert the hex code to binary. -:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 Policy Rule Options"::: +:::image type="content" source="images/event-3099-options.png" alt-text="Event 3099 policy rule options."::: -For a simple solution for converting hex to binary, follow these steps. -- Open the Calculator app -- Click on the menu icon :::image type="content" source="images/calculator-menu-icon.png" alt-text="calculator menu icon example"::: -- Click Programmer mode -- Click HEX :::image type="content" source="images/hex-icon.png" alt-text="HEX icon example"::: -- Enter your hex code -- Click Bit Toggling Keyboard :::image type="content" source="images/bit-toggling-keyboard-icon.png" alt-text="Bit Toggling Keyboard icon example"::: +For a simple solution for converting hex to binary, follow these steps: -:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary"::: +1. Open the Calculator app. +1. Select the menu icon. :::image type="icon" source="images/calculator-menu-icon.png" border="false"::: +1. Select **Programmer** mode. +1. Select **HEX**. :::image type="icon" source="images/hex-icon.png" border="false"::: +1. Enter your hex code. For example, `80881000`. +1. Switch to the **Bit Toggling Keyboard**. :::image type="icon" source="images/bit-toggling-keyboard-icon.png" border="false"::: + +:::image type="content" source="images/calculator-with-hex-in-binary.png" alt-text="An example of the calculator app in programmer mode, with a hex code converted into binary."::: This view will provide the hex code in binary form, with each bit address shown separately. The bit addresses start at 0 in the bottom right. Each bit address correlates to a specific event policy-rule option. If the bit address holds a value of 1, the setting is in the policy. -Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the “Enabled:Audit Mode (Default)” is in the policy meaning the policy is in audit mode. +Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create.md#table-1-windows-defender-application-control-policy---policy-rule-options). For example, if the bit address of 16 holds a value of 1, then the **Enabled: Audit Mode (Default)** option is in the policy. This setting means that the policy is in audit mode. | Bit Address | Policy Rule Option | |-------|------| @@ -141,46 +143,46 @@ A list of other relevant event IDs and their corresponding description. | Event ID | Description | |-------|------| | 3001 | An unsigned driver was attempted to load on the system. | -| 3002 | Code Integrity could not verify the boot image as the page hash could not be found. | -| 3004 | Code Integrity could not verify the file as the page hash could not be found. | +| 3002 | Code Integrity couldn't verify the boot image as the page hash couldn't be found. | +| 3004 | Code Integrity couldn't verify the file as the page hash couldn't be found. | | 3010 | The catalog containing the signature for the file under validation is invalid. | | 3011 | Code Integrity finished loading the signature catalog. | | 3012 | Code Integrity started loading the signature catalog. | -| 3023 | The driver file under validation did not meet the requirements to pass the application control policy. | +| 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. | | 3024 | Windows application control was unable to refresh the boot catalog file. | | 3026 | The catalog loaded is signed by a signing certificate that has been revoked by Microsoft and/or the certificate issuing authority. | -| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked. -| 3033 | The file under validation did not meet the requirements to pass the application control policy. | -| 3034 | The file under validation would not meet the requirements to pass the application control policy if the WDAC policy was enforced. The file was allowed since the WDAC policy is in audit mode. | -| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | -| 3064 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. The DLL was allowed since the WDAC policy is in audit mode. | -| 3065 | If the WDAC policy was enforced, a user mode DLL under validation would not meet the requirements to pass the application control policy. | +| 3032 | The file under validation is revoked by the system or the file has a signature that has been revoked. +| 3033 | The file under validation didn't meet the requirements to pass the application control policy. | +| 3034 | The file under validation wouldn't meet the requirements to pass the Application Control policy if it was enforced. The file was allowed since the policy is in audit mode. | +| 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. | +| 3064 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. The DLL was allowed since the policy is in audit mode. | +| 3065 | If the Application Control policy was enforced, a user mode DLL under validation wouldn't meet the requirements to pass the application control policy. | | 3074 | Page hash failure while hypervisor-protected code integrity was enabled. | -| 3075 | This event measures the performance of the WDAC policy check during file validation. | -| 3076 | This event is the main WDAC block event for audit mode policies. It indicates that the file would have been blocked if the WDAC policy was enforced. | -| 3077 | This event is the main WDAC block event for enforced policies. It indicates that the file did not pass your WDAC policy and was blocked. | -| 3079 | The file under validation did not meet the requirements to pass the application control policy. | -| 3080 | If the WDAC policy was in enforced mode, the file under validation would not have met the requirements to pass the application control policy. | -| 3081 | The file under validation did not meet the requirements to pass the application control policy. | -| 3082 | If the WDAC policy was in enforced mode, the non-WHQL driver would have been denied by the WDAC policy. | +| 3075 | This event measures the performance of the Application Control policy check during file validation. | +| 3076 | This event is the main Application Control block event for audit mode policies. It indicates that the file would have been blocked if the policy was enforced. | +| 3077 | This event is the main Application Control block event for enforced policies. It indicates that the file didn't pass your policy and was blocked. | +| 3079 | The file under validation didn't meet the requirements to pass the application control policy. | +| 3080 | If the Application Control policy was in enforced mode, the file under validation wouldn't have met the requirements to pass the application control policy. | +| 3081 | The file under validation didn't meet the requirements to pass the application control policy. | +| 3082 | If the Application Control policy was in enforced mode, the non-WHQL driver would have been denied by the policy. | | 3084 | Code Integrity will enforce the WHQL driver signing requirements on this boot session. | -| 3085 | Code Integrity will not enforce the WHQL driver signing requirements on this boot session. | -| 3086 | The file under validation does not meet the signing requirements for an isolated user mode (IUM) process. | -| 3089 | This event contains signature information for files that were blocked or would have been blocked by WDAC. One 3089 event is created for each signature of a file. | +| 3085 | Code Integrity won't enforce the WHQL driver signing requirements on this boot session. | +| 3086 | The file under validation doesn't meet the signing requirements for an isolated user mode (IUM) process. | +| 3089 | This event contains signature information for files that were blocked or would have been blocked by Application Control. One 3089 event is created for each signature of a file. | | 3090 | *Optional* This event indicates that a file was allowed to run based purely on ISG or managed installer. | -| 3091 | This event indicates that a file did not have ISG or managed installer authorization and the WDAC policy is in audit mode. | +| 3091 | This event indicates that a file didn't have ISG or managed installer authorization and the Application Control policy is in audit mode. | | 3092 | This event is the enforcement mode equivalent of 3091. | -| 3095 | The WDAC policy cannot be refreshed and must be rebooted instead. | -| 3096 | The WDAC policy was not refreshed since it is already up-to-date. | -| 3097 | The WDAC policy cannot be refreshed. | -| 3099 | Indicates that a policy has been loaded. This event also includes information about the WDAC policy options that were specified by the WDAC policy. | +| 3095 | The Application Control policy can't be refreshed and must be rebooted instead. | +| 3096 | The Application Control policy wasn't refreshed since it's already up-to-date. | +| 3097 | The Application Control policy can't be refreshed. | +| 3099 | Indicates that a policy has been loaded. This event also includes information about the options that were specified by the Application Control policy. | | 3100 | The application control policy was refreshed but was unsuccessfully activated. Retry. | -| 3101 | The system started refreshing the WDAC policy. | -| 3102 | The system finished refreshing the WDAC policy. | -| 3103 | The system is ignoring the WDAC policy refresh. | -| 3104 | The file under validation does not meet the signing requirements for a PPL (protected process light) process. | -| 3105 | The system is attempting to refresh the WDAC policy. | +| 3101 | The system started refreshing the Application Control policy. | +| 3102 | The system finished refreshing the Application Control policy. | +| 3103 | The system is ignoring the Application Control policy refresh. | +| 3104 | The file under validation doesn't meet the signing requirements for a PPL (protected process light) process. | +| 3105 | The system is attempting to refresh the Application Control policy. | | 3108 | Windows mode change event was successful. | | 3110 | Windows mode change event was unsuccessful. | -| 3111 | The file under validation did not meet the hypervisor-protected code integrity (HVCI) policy. | +| 3111 | The file under validation didn't meet the hypervisor-protected code integrity (HVCI) policy. | | 3112 | The file under validation is signed by a certificate that has been explicitly revoked by Windows. | diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 36aa766318..3e1dfaea27 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -14,7 +14,6 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 07/15/2021 ms.technology: windows-sec --- @@ -24,7 +23,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2019 and above > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index 8024e0f03b..445e34f78e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -1,22 +1,16 @@ --- title: Windows Defender Application Control Wizard -description: Microsoft Defender Application Control Wizard (WDAC) Wizard allows users to create, edit, and merge application control policies in a simple to use Windows application. -keywords: allowlisting, blocklisting, security, malware -ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +description: The Windows Defender Application Control policy wizard tool allows you to create, edit, and merge application control policies in a simple to use Windows application. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security +ms.technology: windows-sec ms.localizationpriority: medium -audience: ITPro ms.collection: M365-security-compliance author: jgeurten ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.topic: conceptual -ms.date: 10/14/2020 -ms.technology: windows-sec +ms.date: 05/24/2022 --- # Windows Defender Application Control Wizard @@ -30,26 +24,26 @@ ms.technology: windows-sec > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. +The Windows Defender Application Control policy wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. It was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge Application Control policies. This tool uses the [ConfigCI PowerShell cmdlets](/powershell/module/configci) in the backend so the output policy of the tool and PowerShell cmdlets is identical. ## Downloading the application -The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit). +Download the tool from the official [Windows Defender Application Control Policy Wizard website](https://webapp-wdac-wizard.azurewebsites.net/) as an MSIX packaged application. The tool's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Policy Wizard repository](https://github.com/MicrosoftDocs/WDAC-Toolkit). -**Supported Clients** +### Supported clients -As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements: +As the tool uses the cmdlets in the background, it's functional on clients only where the cmdlets are supported. For more information, see [Application Control feature availability](feature-availability.md). Specifically, the tool verifies that the client meets one of the following requirements: -- Windows builds 1909+ -- For pre-1909 builds, the Enterprise SKU of Windows is installed +- Windows 10, version 1909 or later +- For pre-1909 builds, the Enterprise SKU of Windows is installed -If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available. +If neither requirement is satisfied, it throws an error as the cmdlets aren't available. -## In this section +## Resources to learn more -| Topic | Description | +| Article | Description | | - | - | | [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. | | [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. | -| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. | -| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. | \ No newline at end of file +| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the tool's editing capabilities. | +| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. | diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 15141a8aff..ec94f13e2b 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,17 +1,12 @@ --- title: Create an Outbound Program or Service Rule (Windows) description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. -ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md index 9539084377..6e4429688b 100644 --- a/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md +++ b/windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md @@ -1,17 +1,12 @@ --- title: Create Inbound Rules to Support RPC (Windows) description: Learn how to allow RPC network traffic by using the Group Policy Management MMC snap-in to create rules in Windows Defender Firewall with Advanced Security. -ms.assetid: 0b001c2c-12c1-4a30-bb99-0c034d7e6150 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 33d369d823..502b0b5b91 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -1,17 +1,12 @@ --- title: Create Windows Firewall rules in Intune (Windows) description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune. -ms.assetid: 47057d90-b053-48a3-b881-4f2458d3e431 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.technology: windows-sec diff --git a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 6d9896ef84..1b2931e18d 100644 --- a/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -1,17 +1,12 @@ --- title: Create WMI Filters for the GPO (Windows) description: Learn how to use WMI filters on a GPO to make sure that each GPO for a group can only be applied to devices running the correct version of Windows. -ms.assetid: b1a6d93d-a3c8-4e61-a388-4a3323f0e74e ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index bb72548e1a..7e365c2fbf 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,17 +1,12 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows) description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. -ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md index be0ce97138..cdbb54af14 100644 --- a/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md @@ -1,17 +1,12 @@ --- title: Determining the Trusted State of Your Devices (Windows) description: Learn how to define the trusted state of devices in your enterprise to help design your strategy for using Windows Defender Firewall with Advanced Security. -ms.assetid: 3e77f0d0-43aa-47dd-8518-41ccdab2f2b2 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 @@ -25,7 +20,7 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above -After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security cannot exceed the level of security set by the least secure client that achieves trusted status. +After obtaining information about the devices that are currently part of the IT infrastructure, you must determine at what point a device is considered trusted. The term *trusted* can mean different things to different people. Therefore, you must communicate a firm definition for it to all stakeholders in the project. Failure to do this can lead to problems with the security of the trusted environment, because the overall security can't exceed the level of security set by the least secure client that achieves trusted status. >**Note:**  In this context, the term *trust* has nothing to do with an Active Directory trust relationship between domains. The trusted state of your devices just indicates the level of risk that you believe the device brings to the network. Trusted devices bring little risk whereas untrusted devices can potentially bring great risk. @@ -46,9 +41,9 @@ The remainder of this section defines these states and how to determine which de ### Trusted state -Classifying a device as trusted means that the device's security risks are managed, but it does not imply that it is perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. +Classifying a device as trusted means that the device's security risks are managed, but it doesn't imply that it's perfectly secure or invulnerable. The responsibility for this managed state falls to the IT and security administrators, in addition to the users who are responsible for the configuration of the device. A trusted device that is poorly managed will likely become a point of weakness for the network. -When a device is considered trusted, other trusted devices can reasonably assume that the device will not initiate a malicious act. For example, trusted devices can expect that other trusted devices will not run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. +When a device is considered trusted, other trusted devices can reasonably assume that the device won't initiate a malicious act. For example, trusted devices can expect that other trusted devices won't run a virus that attacks them, because all trusted devices are required to use mechanisms (such as antivirus software) to mitigate the threat of viruses. Spend some time defining the goals and technology requirements that your organization considers appropriate as the minimum configuration for a device to obtain trusted status. @@ -68,49 +63,49 @@ A possible list of technology requirements might include the following: - **Password requirements.** Trusted clients must use strong passwords. -It is important to understand that the trusted state is not constant; it is a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they are required to help maintain the trusted status. +It's important to understand that the trusted state isn't constant; it's a transient state that is subject to changing security standards and compliance with those standards. New threats and new defenses emerge constantly. For this reason, the organization's management systems must continually check the trusted devices to ensure ongoing compliance. Additionally, the management systems must be able to issue updates or configuration changes if they're required to help maintain the trusted status. -A device that continues to meet all these security requirements can be considered trusted. However it is possible that most devices that were identified in the discovery process discussed earlier do not meet these requirements. Therefore, you must identify which devices can be trusted and which ones cannot. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. +A device that continues to meet all these security requirements can be considered trusted. However it's possible that most devices that were identified in the discovery process discussed earlier don't meet these requirements. Therefore, you must identify which devices can be trusted and which ones can't. To help with this process, you use the intermediate *trustworthy* state. The remainder of this section discusses the different states and their implications. ### Trustworthy state -It is useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. +It's useful to identify as soon as possible those devices in your current infrastructure that can achieve a trusted state. A *trustworthy state* can be assigned to indicate that the current device can physically achieve the trusted state with required software and configuration changes. For each device that is assigned a trustworthy status, make an accompanying configuration note that states what is required to enable the device to achieve trusted status. This information is especially important to both the project design team (to estimate the costs of adding the device to the solution) and the support staff (to enable them to apply the required configuration). Generally, trustworthy devices fall into one of the following two groups: -- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk does not meet this requirement. +- **Configuration required.** The current hardware, operating system, and software enable the device to achieve a trustworthy state. However, additional configuration changes are required. For example, if the organization requires a secure file system before a device can be considered trusted, a device that uses a FAT32-formatted hard disk doesn't meet this requirement. - **Upgrade required.** These devices require upgrades before they can be considered trusted. The following list provides some examples of the type of upgrade these devices might require: - - **Operating system upgrade required.** If the device's current operating system cannot support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. + - **Operating system upgrade required.** If the device's current operating system can't support the security needs of the organization, an upgrade would be required before the device could achieve a trusted state. - - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, cannot be considered trusted until these applications are installed and active. + - **Software required.** A device that is missing a required security application, such as an antivirus scanner or a management client, can't be considered trusted until these applications are installed and active. - **Hardware upgrade required.** In some cases, a device might require a specific hardware upgrade before it can achieve trusted status. This type of device usually needs an operating system upgrade or additional software that forces the required hardware upgrade. For example, security software might require additional hard disk space on the device. - - **Device replacement required.** This category is reserved for devices that cannot support the security requirements of the solution because their hardware cannot support the minimum acceptable configuration. For example, a device that cannot run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). + - **Device replacement required.** This category is reserved for devices that can't support the security requirements of the solution because their hardware can't support the minimum acceptable configuration. For example, a device that can't run a secure operating system because it has an old processor (such as a 100-megahertz \[MHz\] x86-based device). Use these groups to assign costs for implementing the solution on the devices that require upgrades. ### Known, untrusted state -During the process of categorizing an organization's devices, you will identify some devices that cannot achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: +During the process of categorizing an organization's devices, you'll identify some devices that can't achieve trusted status for specific well-understood and well-defined reasons. These reasons might include the following types: -- **Financial.** The funding is not available to upgrade the hardware or software for this device. +- **Financial.** The funding isn't available to upgrade the hardware or software for this device. -- **Political.** The device must remain in an untrusted state because of a political or business situation that does not enable it to comply with the stated minimum security requirements of the organization. It is highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. +- **Political.** The device must remain in an untrusted state because of a political or business situation that doesn't enable it to comply with the stated minimum security requirements of the organization. It's highly recommended that you contact the business owner or independent software vendor (ISV) for the device to discuss the added value of server and domain isolation. - **Functional.** The device must run a nonsecure operating system or must operate in a nonsecure manner to perform its role. For example, the device might be required to run an older operating system because a specific line of business application will only work on that operating system. There can be multiple functional reasons for a device to remain in the known untrusted state. The following list includes several examples of functional reasons that can lead to a classification of this state: -- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system cannot be classified as trustworthy because these operating systems do not support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it does not support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). +- **Devices that run unsupported versions of Windows.** This includes Windows XP, Windows Millennium Edition, Windows 98, Windows 95, or Windows NT. Devices that run these versions of the Windows operating system can't be classified as trustworthy because these operating systems don't support the required security infrastructure. For example, although Windows NT does support a basic security infrastructure, it doesn't support “deny” ACLs on local resources, any way to ensure the confidentiality and integrity of network communications, smart cards for strong authentication, or centralized management of device configurations (although limited central management of user configurations is supported). -- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually cannot achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device is not a part of a trusted domain. +- **Stand-alone devices.** Devices running any version of Windows that are configured as stand-alone devices or as members of a workgroup usually can't achieve a trustworthy state. Although these devices fully support the minimum required basic security infrastructure, the required security management capabilities are unlikely to be available when the device isn't a part of a trusted domain. -- **Devices in an untrusted domain.** A device that is a member of a domain that is not trusted by an organization's IT department cannot be classified as trusted. An untrusted domain is a domain that cannot provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities cannot be fully guaranteed when devices are not in a trusted domain. +- **Devices in an untrusted domain.** A device that is a member of a domain that isn't trusted by an organization's IT department can't be classified as trusted. An untrusted domain is a domain that can't provide the required security capabilities to its members. Although the operating systems of devices that are members of this untrusted domain might fully support the minimum required basic security infrastructure, the required security management capabilities can't be fully guaranteed when devices aren't in a trusted domain. ### Unknown, untrusted state @@ -129,20 +124,20 @@ The final step in this part of the process is to record the approximate cost of - What is the projected cost or impact of making the proposed changes to enable the device to achieve a trusted state? -By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It is important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you are ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. +By answering these questions, you can quickly determine the level of effort and approximate cost of bringing a particular device or group of devices into the scope of the project. It's important to remember that the state of a device is transitive, and that by performing the listed remedial actions you can change the state of a device from untrusted to trusted. After you decide whether to place a device in a trusted state, you're ready to begin planning and designing the isolation groups, which the next section [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) discusses. The following table is an example of a data sheet that you could use to help capture the current state of a device and what would be required for the device to achieve a trusted state. | Device name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | | - | - | - | - | - | - | -| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware is not compatible with newer versions of Windows.| $??| +| CLIENT001 | No| No| Upgrade hardware and software.| Current operating system is Windows XP. Old hardware isn't compatible with newer versions of Windows.| $??| | SERVER001 | Yes| No| Join trusted domain and upgrade from Windows Server 2003 to Windows Server 2012.| No antivirus software present.| $??| In the previous table, the device CLIENT001 is currently "known, untrusted" because its hardware must be upgraded. However, it could be considered trustworthy if the required upgrades are possible. However, if many devices require the same upgrades, the overall cost of the solution would be much higher. The device SERVER001 is "trustworthy" because it meets the hardware requirements but its operating system must be upgraded. It also requires antivirus software. The projected cost is the amount of effort that is required to upgrade the operating system and install antivirus software, along with their purchase costs. -With the other information that you have gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. +With the other information that you've gathered in this section, this information will be the foundation of the efforts performed later in the [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) section. The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan. diff --git a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md index 6b8adafa56..4b52443989 100644 --- a/windows/security/threat-protection/windows-firewall/documenting-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/documenting-the-zones.md @@ -1,17 +1,12 @@ --- title: Documenting the Zones (Windows) description: Learn how to document the zone placement of devices in your design for Windows Defender Firewall with Advanced Security. -ms.assetid: ebd7a650-4d36-42d4-aac0-428617f5a32d ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md index ec6e6a670b..d3e12bfc41 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md @@ -1,17 +1,12 @@ --- title: Domain Isolation Policy Design Example (Windows) description: This example uses a fictitious company to illustrate domain isolation policy design in Windows Defender Firewall with Advanced Security. -ms.assetid: 704dcf58-286f-41aa-80af-c81720aa7fc5 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md index 0f112cdfa7..ac3e4beadc 100644 --- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md @@ -1,17 +1,12 @@ --- title: Domain Isolation Policy Design (Windows) description: Learn how to design a domain isolation policy, based on which devices accept only connections from authenticated members of the same isolated domain. -ms.assetid: 7475084e-f231-473a-9357-5e1d39861d66 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md index cd420e5088..c17b29ef65 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md @@ -1,17 +1,12 @@ --- title: Enable Predefined Inbound Rules (Windows) description: Learn the rules for Windows Defender Firewall with Advanced Security for common networking roles and functions. -ms.assetid: a4fff086-ae81-4c09-b828-18c6c9a937a7 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md index 0102f9ee3a..782c3d49fc 100644 --- a/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md +++ b/windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md @@ -1,17 +1,12 @@ --- title: Enable Predefined Outbound Rules (Windows) description: Learn to deploy predefined firewall rules that block outbound network traffic for common network functions in Windows Defender Firewall with Advanced Security. -ms.assetid: 71cc4157-a1ed-41d9-91e4-b3140c67c1be ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/07/2021 diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md index 6d909df105..f246825b19 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md @@ -1,17 +1,12 @@ --- title: Encryption Zone GPOs (Windows) description: Learn how to add a device to an encryption zone by adding the device account to the encryption zone group in Windows Defender Firewall with Advanced Security. -ms.assetid: eeb973dd-83a5-4381-9af9-65c43c98c29b ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 @@ -27,6 +22,6 @@ ms.technology: windows-sec Handle encryption zones in a similar manner to the boundary zones. A device is added to an encryption zone by adding the device account to the encryption zone group. Woodgrove Bank has a single service that must be protected, and the devices that are running that service are added to the group CG\_DOMISO\_Encryption. This group is granted Read and Apply Group Policy permissions in on the GPO described in this section. -The GPO is only for server versions of Windows. Client devices are not expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. +The GPO is only for server versions of Windows. Client devices aren't expected to participate in the encryption zone. If the need for one occurs, either create a new GPO for that version of Windows, or expand the WMI filter attached to one of the existing encryption zone GPOs to make it apply to the client version of Windows. - [GPO\_DOMISO\_Encryption](gpo-domiso-encryption.md) diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index fe2e9815a6..8a6dd9db87 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -1,17 +1,12 @@ --- title: Encryption Zone (Windows) description: Learn how to create an encryption zone to contain devices that host very sensitive data and require that the sensitive network traffic be encrypted. -ms.assetid: 55a025ce-357f-4d1b-b2ae-6ee32c9abe13 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md index 0a1c8c3094..9cd638e39c 100644 --- a/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md +++ b/windows/security/threat-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md @@ -1,17 +1,12 @@ --- title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows) description: Evaluating Windows Defender Firewall with Advanced Security Design Examples -ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md index 686d6ff871..dee6778a40 100644 --- a/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md +++ b/windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md @@ -1,17 +1,12 @@ --- title: Exempt ICMP from Authentication (Windows) description: Learn how to add exemptions for any network traffic that uses the ICMP protocol in Windows Defender Firewall with Advanced Security. -ms.assetid: c086c715-8d0c-4eb5-9ea7-2f7635a55548 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index c060789ce3..a150d214f5 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,17 +1,12 @@ --- title: Exemption List (Windows) description: Learn about reasons to add devices to an exemption list in Windows Defender Firewall with Advanced Security and the trade-offs of having too many exemptions. -ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md index ca7cb954eb..ad4e1359c3 100644 --- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md +++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md @@ -4,8 +4,6 @@ description: Filter origin documentation audit log improvements ms.reviewer: ms.author: v-bshilpa ms.prod: m365-security -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: normal author: Benny-54 manager: dansimp diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index c6815864d5..9cac69201b 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -1,17 +1,12 @@ --- title: Firewall GPOs (Windows) description: In this example, a Group Policy Object is linked to the domain container because the domain controllers are not part of the isolated domain. -ms.assetid: 720645fb-a01f-491e-8d05-c9c6d5e28033 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md index e130a76c47..6152948655 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md @@ -1,17 +1,12 @@ --- title: Basic Firewall Policy Design Example (Windows) description: This example features a fictitious company and illustrates firewall policy design for Windows Defender Firewall with Advanced Security. -ms.assetid: 0dc3bcfe-7a4d-4a15-93a9-64b13bd775a7 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md index 562716bc3b..db56dcc84e 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md +++ b/windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md @@ -4,8 +4,6 @@ description: Firewall settings lost on upgrade ms.reviewer: ms.author: v-bshilpa ms.prod: m365-security -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: Benny-54 manager: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md index 32c6dd328f..fe4d111ad1 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md @@ -1,17 +1,12 @@ --- title: Gathering Information about Your Active Directory Deployment (Windows) description: Learn about gathering Active Directory information, including domain layout, organizational unit architecture, and site topology, for your firewall deployment. -ms.assetid: b591b85b-12ac-4329-a47e-bc1b03e66eb0 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 792686a4b3..0c7ab93228 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,17 +1,12 @@ --- title: Gathering Info about Your Network Infrastructure (Windows) description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. -ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md index 0e57c0e9a9..6d7e499d9c 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md @@ -1,17 +1,12 @@ --- title: Gathering Information about Your Devices (Windows) description: Learn what information to gather about the devices in your enterprise to plan your Windows Defender Firewall with Advanced Security deployment. -ms.assetid: 7f7cd3b9-de8e-4fbf-89c6-3d1a47bc2beb ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md index 579ef8f647..fe22f964b8 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md +++ b/windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md @@ -1,17 +1,12 @@ --- title: Gathering Other Relevant Information (Windows) description: Learn about additional information you may need to gather to deploy Windows Defender Firewall with Advanced Security policies in your organization. -ms.assetid: 87ccca07-4346-496b-876d-cdde57d0ce17 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index 8482a7cd65..0599090184 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -1,17 +1,12 @@ --- title: Gathering the Information You Need (Windows) description: Collect and analyze information about your network, directory services, and devices to prepare for Windows Defender Firewall with Advanced Security deployment. -ms.assetid: 545fef02-5725-4b1e-b67a-a32d94c27d15 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md index afa8e8f5cc..adfb2e0acb 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md @@ -1,17 +1,12 @@ --- title: GPO\_DOMISO\_Boundary (Windows) description: This example GPO supports devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. -ms.assetid: ead3a510-c329-4c2a-9ad2-46a3b4975cfd ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index d1ca928d07..bc83b6e60d 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -1,18 +1,13 @@ --- title: GPO\_DOMISO\_Encryption\_WS2008 (Windows) description: This example GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. -ms.assetid: 84375480-af6a-4c79-aafe-0a37115a7446 ms.reviewer: ms.author: dansimp author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium ms.date: 09/08/2021 ms.technology: windows-sec diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md index 662dd03f50..6cd30ab0e7 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md @@ -1,17 +1,12 @@ --- title: GPO\_DOMISO\_Firewall (Windows) description: Learn about the settings and rules in this example GPO, which is authored by using the Group Policy editing tools. -ms.assetid: 318467d2-5698-4c5d-8000-7f56f5314c42 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index bed380f50e..ce23a063fa 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,17 +1,12 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index 84d2f5ce16..3e29726a15 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,17 +1,12 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows) description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. -ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md index 6746a2c01c..5684e64a1e 100644 --- a/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md +++ b/windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md @@ -1,17 +1,12 @@ --- title: Identify implementation goals for Windows Defender Firewall with Advanced Security Deployment (Windows) description: Identifying Your Windows Defender Firewall with Advanced Security (WFAS) implementation goals -ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md index 9f16389687..19be53c930 100644 --- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md +++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md @@ -1,17 +1,12 @@ --- title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows) description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan -ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md index ccaefb1de6..afdbbb4444 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md @@ -1,17 +1,12 @@ --- title: Isolated Domain GPOs (Windows) description: Learn about GPOs for isolated domains in this example configuration of Windows Defender Firewall with Advanced Security. -ms.assetid: e254ce4a-18c6-4868-8179-4078d9de215f ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/isolated-domain.md b/windows/security/threat-protection/windows-firewall/isolated-domain.md index af0a3cd985..336af76b07 100644 --- a/windows/security/threat-protection/windows-firewall/isolated-domain.md +++ b/windows/security/threat-protection/windows-firewall/isolated-domain.md @@ -1,17 +1,12 @@ --- title: Isolated Domain (Windows) description: Learn about the isolated domain, which is the primary zone for trusted devices, which use connection security and firewall rules to control communication. -ms.assetid: d6fa8d67-0078-49f6-9bcc-db1f24816c5e ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md index 642c968859..94c2d1efc2 100644 --- a/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md +++ b/windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md @@ -2,13 +2,9 @@ title: Isolating Microsoft Store Apps on Your Network (Windows) description: Learn how to customize your firewall configuration to isolate the network access of the new Microsoft Store apps that run on devices added to your network. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md index 472e264155..27ca0787a6 100644 --- a/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md +++ b/windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md @@ -1,17 +1,12 @@ --- title: Link the GPO to the Domain (Windows) description: Learn how to link a GPO to the Active Directory container for the target devices, after you configure it in Windows Defender Firewall with Advanced Security. -ms.assetid: 746d4553-b1a6-4954-9770-a948926b1165 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md index 4d847f7055..e14954cb74 100644 --- a/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md @@ -1,17 +1,12 @@ --- title: Mapping your implementation goals to a Windows Firewall with Advanced Security design (Windows) description: Mapping your implementation goals to a Windows Firewall with Advanced Security design -ms.assetid: 7e68c59e-ba40-49c4-8e47-5de5d6b5eb22 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md index e2e209ff07..20c89d309f 100644 --- a/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md +++ b/windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md @@ -1,17 +1,12 @@ --- title: Modify GPO Filters (Windows) description: Learn how to modify GPO filters to apply to a different zone or version of windows in Windows Defender Firewall with Advanced Security. -ms.assetid: 24ede9ca-a501-4025-9020-1129e2cdde80 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md index 7b4d920b83..27d55010fe 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md @@ -1,17 +1,12 @@ --- title: Open the Group Policy Management Console to IP Security Policies (Windows) description: Learn how to open the Group Policy Management Console to IP Security Policies to configure GPOs for earlier versions of the Windows operating system. -ms.assetid: 235f73e4-37b7-40f4-a35e-3e7238bbef43 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md index d55f5793ea..6b414fd0e1 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md @@ -1,17 +1,12 @@ --- title: Group Policy Management of Windows Firewall with Advanced Security (Windows) description: Group Policy Management of Windows Firewall with Advanced Security -ms.assetid: 28afab36-8768-4938-9ff2-9d6dab702e98 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md index 77e7c364b3..7c1ef5c3ab 100644 --- a/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md +++ b/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md @@ -1,17 +1,12 @@ --- title: Group Policy Management of Windows Defender Firewall (Windows) description: Group Policy Management of Windows Defender Firewall with Advanced Security -ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md index c46ba8f97f..31a3fba50f 100644 --- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md @@ -1,17 +1,12 @@ --- title: Open Windows Defender Firewall with Advanced Security (Windows) description: Learn how to open the Windows Defender Firewall with Advanced Security console. You must be a member of the Administrators group. -ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md index c5d10098c9..e0e0de7084 100644 --- a/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md +++ b/windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md @@ -1,17 +1,12 @@ --- title: Planning Certificate-based Authentication (Windows) description: Learn how a device unable to join an Active Directory domain can still participate in an isolated domain by using certificate-based authentication. -ms.assetid: a55344e6-d0df-4ad5-a6f5-67ccb6397dec ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md index a5c690294e..8732491e55 100644 --- a/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md @@ -1,17 +1,12 @@ --- title: Planning Domain Isolation Zones (Windows) description: Learn how to use information you have gathered to make decisions about isolation zones for your environment in Windows Defender Firewall with Advanced Security. -ms.assetid: 70bc7c52-91f0-4a0d-a64a-69d3ea1c6d05 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md index 81d3ffeabe..fcdef1ec8f 100644 --- a/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md +++ b/windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md @@ -1,17 +1,12 @@ --- title: Planning GPO Deployment (Windows) description: Learn how to use security group filtering and WMI filtering to provide the most flexible options for applying GPOs to devices in Active Directory. -ms.assetid: b38adfb1-1371-4227-a887-e6d118809de1 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md index 3002cef090..46f1ec18cd 100644 --- a/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md @@ -1,17 +1,12 @@ --- title: Planning Group Policy Deployment for Your Isolation Zones (Windows) description: Learn how to plan a group policy deployment for your isolation zones after you determine the best logical design for your isolation environment. -ms.assetid: ea7c0acd-af28-4347-9d4a-4801b470557c ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 6cf3ebe60c..703b785517 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,17 +1,12 @@ --- title: Planning Isolation Groups for the Zones (Windows) description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs. -ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md index 9a897f0089..115c4bc0b4 100644 --- a/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md +++ b/windows/security/threat-protection/windows-firewall/planning-network-access-groups.md @@ -1,17 +1,12 @@ --- title: Planning Network Access Groups (Windows) description: Learn how to implement a network access group for users and devices that can access an isolated server in Windows Defender Firewall with Advanced Security. -ms.assetid: 56ea1717-1731-4a5d-b277-5a73eb86feb0 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md index 9e87ee9790..7c7ab8b78d 100644 --- a/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md @@ -1,17 +1,12 @@ --- title: Planning Server Isolation Zones (Windows) description: Learn how to restrict access to a server to approved users by using a server isolation zone in Windows Defender Firewall with Advanced Security. -ms.assetid: 5f63c929-589e-4b64-82ea-515d62765b7b ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md index ed55752803..5aed4df804 100644 --- a/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md +++ b/windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md @@ -1,17 +1,12 @@ --- title: Planning Settings for a Basic Firewall Policy (Windows) description: Learn how to design a basic policy for Windows Defender Firewall with Advanced Security, the settings and rules that enforce your requirements on devices. -ms.assetid: 4c90df5a-3cbc-4b85-924b-537c2422d735 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md index 74e85fa1a0..054cd6b4c9 100644 --- a/windows/security/threat-protection/windows-firewall/planning-the-gpos.md +++ b/windows/security/threat-protection/windows-firewall/planning-the-gpos.md @@ -1,17 +1,12 @@ --- title: Planning the GPOs (Windows) description: Learn about planning Group Policy Objects for your isolation zones in Windows Defender Firewall with Advanced Security, after you design the zone layout. -ms.assetid: 11949ca3-a11c-4a16-b297-0862432eb5b4 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index d651e8e71b..1bb9e49550 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,17 +1,12 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows) description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. -ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 66140941f1..c88257ead5 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -1,17 +1,12 @@ --- title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows) description: After you gather the relevant information, select the design or combination of designs for Windows Defender Firewall with Advanced Security in your environment. -ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md index e45fb6c5e6..8c98be2b77 100644 --- a/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md +++ b/windows/security/threat-protection/windows-firewall/procedures-used-in-this-guide.md @@ -1,17 +1,12 @@ --- title: Procedures Used in This Guide (Windows) description: Refer to this summary of procedures for Windows Defender Firewall with Advanced Security from checklists in this guide. -ms.assetid: 45c0f549-e4d8-45a3-a600-63e2a449e178 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md index 40645e4078..ba994c905e 100644 --- a/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md +++ b/windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md @@ -1,17 +1,12 @@ --- title: Protect devices from unwanted network traffic (Windows) description: Learn how running a host-based firewall on every device in your organization can help protect against attacks as part of a defense-in-depth security strategy. -ms.assetid: 307d2b38-e8c4-4358-ae16-f2143af965dc ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/18/2022 diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md index 83309d4b1b..42338ede59 100644 --- a/windows/security/threat-protection/windows-firewall/quarantine.md +++ b/windows/security/threat-protection/windows-firewall/quarantine.md @@ -4,14 +4,9 @@ description: Quarantine behavior is explained in detail. ms.author: v-bshilpa author: Benny-54 manager: dansimp -ms.assetid: ms.reviewer: ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: normal -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md index 5ae57cd35b..23025f1e50 100644 --- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md +++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md @@ -1,17 +1,12 @@ --- title: Require Encryption When Accessing Sensitive Network Resources (Windows) description: Windows Defender Firewall with Advanced Security allows you to require that all network traffic in an isolated domain be encrypted. -ms.assetid: da980d30-a68b-4e2a-ba63-94726355ce6f ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index 4e8ca4f98b..b91f299c18 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,17 +1,12 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows) description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. -ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md index 287942862c..cc78b7ceb7 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md @@ -1,17 +1,12 @@ --- title: Restrict access to only trusted devices (Windows) description: Windows Defender Firewall with Advanced Security enables you to isolate devices you trust and restrict access of untrusted devices to trusted devices. -ms.assetid: bc1f49a4-7d54-4857-8af9-b7c79f47273b ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 35882149d3..d405ae9ad9 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,17 +1,12 @@ --- title: Restrict Server Access to Members of a Group Only (Windows) description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. -ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 70ebf3fd75..e43a977d74 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -2,13 +2,9 @@ title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows) description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md index 9ec9d59a12..9f249ae1c5 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-gpos.md @@ -1,17 +1,12 @@ --- title: Server Isolation GPOs (Windows) description: Learn about required GPOs for isolation zones and how many server isolation zones you need in Windows Defender Firewall with Advanced Security. -ms.assetid: c97b1f2f-51d8-4596-b38a-8a3f6f706be4 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md index 59eb498be0..f5b9e6802b 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md @@ -1,17 +1,12 @@ --- title: Server Isolation Policy Design Example (Windows) description: Learn about server isolation policy design in Windows Defender Firewall with Advanced Security by referring to this example of a fictitious company. -ms.assetid: 337e5f6b-1ec5-4b83-bee5-d0aea1fa5fc6 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md index 92ff6b97db..c9a669692f 100644 --- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md @@ -1,17 +1,12 @@ --- title: Server Isolation Policy Design (Windows) description: Learn about server isolation policy design, where you assign servers to a zone that allows access only to members of an approved network access group. -ms.assetid: f93f65cd-b863-461e-ab5d-a620fd962c9a ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md index 3e3a5b108f..2337344ccf 100644 --- a/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md +++ b/windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md @@ -4,8 +4,6 @@ description: Troubleshooting UWP App Connectivity Issues in Windows Firewall ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md index 0ae4b4f8dd..64a55b790e 100644 --- a/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md +++ b/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md @@ -1,17 +1,12 @@ --- title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows) description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior -ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md index d6dbf5fd5a..dd58d0c8d0 100644 --- a/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md +++ b/windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md @@ -2,13 +2,9 @@ title: Understand WFAS Deployment (Windows) description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md index 7ae486d08d..0c11ed522b 100644 --- a/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md +++ b/windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md @@ -1,17 +1,12 @@ --- title: Verify That Network Traffic Is Authenticated (Windows) description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication. -ms.assetid: cc1fb973-aedf-4074-ad4a-7376b24f03d2 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index b00b59d00e..c89e65cba2 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -2,13 +2,9 @@ title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows) description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md index dfcf6cfc99..fbb11692e8 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md @@ -1,17 +1,12 @@ --- title: Windows Defender Firewall with Advanced Security deployment overview (Windows) description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network. -ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md index 38545a3d40..623503499e 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md @@ -1,17 +1,12 @@ --- title: Windows Defender Firewall with Advanced Security design guide (Windows) description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise. -ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51 ms.reviewer: ms.author: dansimp ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 989c1be1a1..966c5e4a6a 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -2,14 +2,10 @@ title: Windows Defender Firewall with Advanced Security (Windows) description: Learn overview information about the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. ms.prod: m365-security -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2021 diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 281436db6f..d9ecdb1fb0 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -2,7 +2,6 @@ title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index 31d3aba69a..be77c53fd5 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -2,7 +2,6 @@ title: Windows Sandbox architecture description: Windows Sandbox architecture ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index cd5f7a2082..94adc3d7c8 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -2,7 +2,6 @@ title: Windows Sandbox configuration description: Windows Sandbox configuration ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 29b2f22f62..ec43ba1f84 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -2,7 +2,6 @@ title: Windows Sandbox description: Windows Sandbox overview ms.prod: m365-security -audience: ITPro author: dansimp ms.author: dansimp manager: dansimp diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md index c3cc25f375..52c3d0d811 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md @@ -1,14 +1,11 @@ --- title: Get support for security baselines description: Find answers to frequently asked question on how to get support for baselines, the Security Compliance Toolkit (SCT), and related topics. -keywords: virtualization, security, malware ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/14/2022 diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index eec2742b4c..3fd0c07c67 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -1,14 +1,11 @@ --- title: Microsoft Security Compliance Toolkit 1.0 Guide description: This article describes how to use Security Compliance Toolkit 1.0 in your organization -keywords: virtualization, security, malware ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/14/2022 diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 6d4c993655..18cb5242f6 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -1,14 +1,11 @@ --- title: Security baselines guide description: Learn how to use security baselines in your organization. -keywords: virtualization, security, malware ms.prod: m365-security -ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp author: dansimp manager: dansimp -audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/26/2022 diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md index 6792a8df14..a0e24a1035 100644 --- a/windows/security/trusted-boot.md +++ b/windows/security/trusted-boot.md @@ -5,7 +5,6 @@ search.appverid: MET150 author: denisebmsft ms.author: deniseb manager: dansimp -audience: ITPro ms.topic: conceptual ms.date: 09/21/2021 ms.prod: m365-security @@ -13,8 +12,7 @@ ms.technology: windows-sec ms.localizationpriority: medium ms.collection: ms.custom: -ms.reviewer: jsuther -f1.keywords: NOCSH +ms.reviewer: jsuther --- # Secure Boot and Trusted Boot diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 8b9b5e1d73..6953ab042b 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -5,9 +5,6 @@ ms.reviewer: ms.topic: article manager: dansimp ms.author: dansimp -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security author: dansimp ms.collection: M365-security-compliance ms.custom: intro-overview diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml index 9e25d09647..dc42004f13 100644 --- a/windows/whats-new/TOC.yml +++ b/windows/whats-new/TOC.yml @@ -20,23 +20,3 @@ href: whats-new-windows-10-version-21H1.md - name: What's new in Windows 10, version 20H2 href: whats-new-windows-10-version-20H2.md - - name: What's new in Windows 10, version 2004 - href: whats-new-windows-10-version-2004.md - - name: What's new in Windows 10, version 1909 - href: whats-new-windows-10-version-1909.md - - name: What's new in Windows 10, version 1903 - href: whats-new-windows-10-version-1903.md -- name: Previous versions - items: - - name: What's new in Windows 10, version 1809 - href: whats-new-windows-10-version-1809.md - - name: What's new in Windows 10, version 1803 - href: whats-new-windows-10-version-1803.md - - name: What's new in Windows 10, version 1709 - href: whats-new-windows-10-version-1709.md - - name: What's new in Windows 10, version 1703 - href: whats-new-windows-10-version-1703.md - - name: What's new in Windows 10, version 1607 - href: whats-new-windows-10-version-1607.md - - name: What's new in Windows 10, versions 1507 and 1511 - href: whats-new-windows-10-version-1507-and-1511.md \ No newline at end of file diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md index b99b7a48ad..77dfd79528 100644 --- a/windows/whats-new/contribute-to-a-topic.md +++ b/windows/whats-new/contribute-to-a-topic.md @@ -1,10 +1,7 @@ --- title: Edit an existing topic using the Edit link description: Instructions about how to edit an existing topic by using the Edit link on docs.microsoft.com. -keywords: contribute, edit a topic ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library ms.date: 10/13/2017 ms.reviewer: manager: dansimp diff --git a/windows/whats-new/get-started-with-1709.md b/windows/whats-new/get-started-with-1709.md deleted file mode 100644 index c2522f3e4c..0000000000 --- a/windows/whats-new/get-started-with-1709.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Get started with Windows 10, version 1709 -description: Learn about features, review requirements, and plan your deployment of Windows 10, version 1709, including IT Pro content, release information, and history. -keywords: ["get started", "windows 10", "fall creators update", "1709"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: dansimp -ms.author: dansimp -ms.date: 10/16/2017 -ms.reviewer: -manager: dansimp -ms.localizationpriority: high -ms.topic: article ---- - -# Get started with Windows 10, version 1709 - -**Applies to** - -- Windows 10 - -> **Looking for information about Windows 10 for personal or home use?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) - -Welcome to Windows 10, version 1709, also known as the Fall Creators Update. Use the following information to learn about new features, review system requirements, and plan your deployment of the latest version of Windows 10. - -## Specification and systems requirements - -Before you install any version of Windows 10, make sure you visit the [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications) page. This page contains the minimum systems requirements and important notes to install Windows 10, as well as feature deprecation information and additional requirements to use certain features. - -## What's new in Windows 10, version 1709 IT Pro content - -Take a look at the [What's new in Windows 10, version 1709 IT Pro content](whats-new-windows-10-version-1709.md), for the latest updates in content. Use this topic to easily navigate the documentation for the new features in Windows 10, version 1709. - -## Windows 10 release information and update history - -To view availability dates and servicing options for each version and update of Windows, including version 1709, visit the [Windows 10 release information](https://technet.microsoft.com/windows/mt679505.aspx) page. For further details on each update, go to the [Windows 10 update history](https://support.microsoft.com/help/4018124/windows-10-update-history) page. - -## Windows 10 Roadmap - -If you'd like to gain some insight into preview, or in-development features, visit the [Windows 10 Roadmap](https://www.microsoft.com/WindowsForBusiness/windows-roadmap) page. You'll be able to filter by feature state and product category, to make this information easier to navigate. - -## Top support solutions for Windows 10 - -Having problems with your latest deployment of Windows 10, version 1709? Check out the [Top support solutions for Windows 10](/windows/client-management/windows-10-support-solutions) topic, where we've collected the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. - -> Want even more information? Visit the [Windows 10 lifecycle page](https://www.microsoft.com/itpro/windows-10) on the [Windows IT Pro Center](https://itpro.windows.com). - -Ready to get started with Windows 10, version 1709? -> [!div class="nextstepaction"] -> [Deploy and Update Windows 10](/windows/deployment) diff --git a/windows/whats-new/images/bulk-token.PNG b/windows/whats-new/images/bulk-token.PNG deleted file mode 100644 index b0d2221824..0000000000 Binary files a/windows/whats-new/images/bulk-token.PNG and /dev/null differ diff --git a/windows/whats-new/images/wdatp.png b/windows/whats-new/images/wdatp.png deleted file mode 100644 index 79410f493f..0000000000 Binary files a/windows/whats-new/images/wdatp.png and /dev/null differ diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml index 615251c635..3d11bd96e3 100644 --- a/windows/whats-new/index.yml +++ b/windows/whats-new/index.yml @@ -1,76 +1,67 @@ ### YamlMime:Landing -title: What's new in Windows # < 60 chars -summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # < 160 chars +title: What's new in Windows +summary: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. metadata: - title: What's new in Windows # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars. + title: What's new in Windows + description: Find out about new features and capabilities in the latest release of Windows 10 and Windows 11. services: windows-10 - ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. + ms.service: windows-10 ms.subservice: subservice - ms.topic: landing-page # Required + ms.topic: landing-page ms.collection: - windows-10 - highpri author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 06/24/2021 #Required; mm/dd/yyyy format. + ms.date: 06/03/2022 localization_priority: medium - -# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: -# Cards and links should be based on top customer tasks or top subjects -# Start card title with a verb - # Card (optional) - title: Windows 11 linkLists: - linkListType: overview links: - text: Windows 11 overview - url: windows-11-overview.md + url: windows-11-overview.md - text: Windows 11 requirements url: windows-11-requirements.md - - text: Plan for Windows 11 + - text: Plan for Windows 11 url: windows-11-plan.md - - text: Prepare for Windows 11 + - text: Prepare for Windows 11 url: windows-11-prepare.md - title: Windows 10 linkLists: - linkListType: overview links: + - text: What's new in Windows 10, version 21H2 + url: whats-new-windows-10-version-21h2.md - text: What's new in Windows 10, version 21H1 - url: whats-new-windows-10-version-21h1.md + url: whats-new-windows-10-version-21h1.md - text: What's new in Windows 10, version 20H2 - url: whats-new-windows-10-version-20H2.md - - text: What's new in Windows 10, version 2004 - url: whats-new-windows-10-version-2004.md - - text: What's new in Windows 10, version 1909 - url: whats-new-windows-10-version-1909.md - - text: What's new in Windows 10, version 1903 - url: whats-new-windows-10-version-1903.md + url: whats-new-windows-10-version-20h2.md - - # Card (optional) - title: Learn more linkLists: - linkListType: overview links: - - text: Windows release information - url: /windows/release-health/release-information + - text: Windows 11 release information + url: /windows/release-health/windows11-release-information - text: Windows release health dashboard - url: /windows/release-information/ - - text: Windows update history - url: https://support.microsoft.com/topic/windows-10-update-history-7dd3071a-3906-fa2c-c342-f7f86728a6e3 - - text: Windows 10 features we’re no longer developing + url: /windows/release-health/ + - text: Windows 11 update history + url: https://support.microsoft.com/topic/windows-11-update-history-a19cd327-b57f-44b9-84e0-26ced7109ba9 + - text: Windows 10 update history + url: https://support.microsoft.com/topic/windows-10-update-history-857b8ccb-71e4-49e5-b3f6-7073197d98fb + - text: Windows 10 features we're no longer developing url: /windows/deployment/planning/windows-10-deprecated-features - text: Features and functionality removed in Windows 10 url: /windows/deployment/planning/windows-10-removed-features - text: Compare Windows 10 Editions - url: https://go.microsoft.com/fwlink/p/?LinkId=690485 + url: https://www.microsoft.com/windowsforbusiness/compare - text: Windows 10 Enterprise LTSC url: ltsc/index.md diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index dfb0df5731..5d691021f8 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -1,11 +1,7 @@ --- title: Windows 10 Enterprise LTSC description: New and updated IT Pro content about new features in Windows 10, LTSC (also known as Windows 10 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 LTSC", "Windows 10 LTSB"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby @@ -30,9 +26,9 @@ This topic provides links to articles with information about what's new in each ## The Long-Term Servicing Channel (LTSC) -The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases. +The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases. -| LTSC release | Equivalent SAC release | Availability date | +| LTSC release | Equivalent GA Channel release | Availability date | | --- | --- | --- | | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2015.md b/windows/whats-new/ltsc/whats-new-windows-10-2015.md index c1c29d8f63..6e75a1fb9f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2015.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2015.md @@ -4,13 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2015 (also known as Windows 10 Enterprise 2015 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2015"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,9 +17,6 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2015 (LTSB). For a brief description of the LTSC servicing channel, see [Windows 10 Enterprise LTSC](index.md). -> [!NOTE] -> Features in Windows 10 Enterprise LTSC 2015 are equivalent to [Windows 10, version 1507](../whats-new-windows-10-version-1507-and-1511.md). - ## Deployment ### Provisioning devices using Windows Imaging and Configuration Designer (ICD) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2016.md b/windows/whats-new/ltsc/whats-new-windows-10-2016.md index 354488f563..7ee18df927 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2016.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2016.md @@ -4,11 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2016 (also known as Windows 10 Enterprise 2016 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2016"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.localizationpriority: low ms.topic: article diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 40a615660a..034ffc1f83 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -4,12 +4,9 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2019 (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2019"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski -ms.localizationpriority: low +ms.localizationpriority: medium ms.topic: article --- @@ -21,22 +18,23 @@ ms.topic: article This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise LTSC 2019, compared to Windows 10 Enterprise LTSC 2016 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). >[!NOTE] ->Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. +>Features in Windows 10 Enterprise LTSC 2019 are equivalent to Windows 10, version 1809. Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: -- Advanced protection against modern security threats + +- Advanced protection against modern security threats - Full flexibility of OS deployment - Updating and support options - Comprehensive device and app management and control capabilities -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. >[!IMPORTANT] >The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the General Availability Channel release of Windows 10 might be limited. ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, note that Windows 10 Update Rings Device profiles do not support LTSC releases, therefore you should use [Policy configuration service provider](/windows/client-management/mdm/policy-csp-update), WSUS, or Configuration Manager for patching. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Endpoint Configuration Manager. ## Security @@ -46,37 +44,36 @@ This version of Windows 10 includes security improvements for threat protection, #### Microsoft Defender for Endpoint -The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. +The [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) platform includes multiple security pillars. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. -[ ![Microsoft Defender for Endpoint.](../images/wdatp.png) ](../images/wdatp.png#lightbox) - -##### Attack surface reduction +##### Attack surface reduction Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access]/microsoft-365/security/defender-endpoint/enable-controlled-folders). -- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. +- This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We've made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. -- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. +- When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Select **Allow an app through Controlled folder access**. After the prompt, select the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. -###### Windows Defender Firewall +###### Windows Defender Firewall -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This behavior was first introduced in [Build 17627](/windows/wsl/release-notes#build-17618-skip-ahead). ##### Windows Defender Device Guard -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: + +- Software-based protection provided by code integrity policies - Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). +But these protections can also be configured separately. And, unlike HVCI, code integrity policies don't require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). -### Next-gen protection +### Next-gen protection -### Endpoint detection and response +### Endpoint detection and response -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Microsoft Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Microsoft Defender for Endpoint portal. -Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between M365 services and interoperates with Microsoft Defender for Endpoint. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). +Windows Defender is now called Microsoft Defender Antivirus and now shares detection status between Microsoft 365 services and interoperates with Microsoft Defender for Endpoint. Other policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Microsoft Defender Antivirus through cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus). We've also [increased the breadth of the documentation library for enterprise security admins](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows). The new library includes information on: @@ -98,9 +95,9 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. +- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intelligence application, and create custom threat intelligence alerts for your organization. -- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. You can use advanced hunting through the creation of custom detection rules. - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. @@ -110,83 +107,77 @@ We've [invested heavily in helping to protect against ransomware](https://blogs. **Threat response** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. -- [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. +- [Take response actions on a machine](/microsoft-365/security/defender-endpoint/respond-machine-alerts) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. +- [Take response actions on a file](/microsoft-365/security/defender-endpoint/respond-file-alerts) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. -Additional capabilities have been added to help you gain a holistic view on **investigations** include: +Other capabilities have been added to help you gain a holistic view on **investigations** include: -- [Threat analytics](/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytics) - Threat Analytics is a set of interactive reports published by the Microsoft Defender for Endpoint research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess the effect to their environment. They also provide recommended actions to contain, increase organizational resilience, and prevent specific threats. -- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Query data using Advanced hunting in Microsoft Defender for Endpoint](/microsoft-365/security/defender/advanced-hunting-query-language) -- [Use Automated investigations to investigate and remediate threats](/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) +- [Use Automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. +- [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. -- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. +- [Alert process tree](/microsoft-365/security/defender-endpoint/investigate-alerts) - Aggregates multiple detections and related events into a single view to reduce case resolution time. -- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Microsoft Defender for Endpoint. +- [Pull alerts using REST API](/microsoft-365/security/defender-endpoint/configure-siem) - Use REST API to pull alerts from Microsoft Defender for Endpoint. Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. +- [Check sensor health state](/microsoft-365/security/defender-endpoint/check-sensor-status) - Check an endpoint's ability to provide sensor data and communicate with the Microsoft Defender for Endpoint service and fix known issues. -- [Managed security service provider (MSSP) support](/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Managed security service provider (MSSP) support](/microsoft-365/security/defender-endpoint/mssp-support) - Microsoft Defender for Endpoint adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Defender](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration Azure Defender can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +- [Integration with Azure Defender](/microsoft-365/security/defender-endpoint/configure-server-endpoints#integration-with-microsoft-defender-for-cloud) - Microsoft Defender for Endpoint integrates with Azure Defender to provide a comprehensive server protection solution. With this integration, Azure Defender can use Defender for Endpoint to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. +- [Integration with Microsoft Cloud App Security](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security uses Microsoft Defender for Endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Defender for Endpoint monitored machines. -- [Onboard Windows Server 2019](/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard Windows Server 2019](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-semi-annual-enterprise-channel-sac-windows-server-2019-and-windows-server-2022) - Microsoft Defender for Endpoint now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. +- [Onboard previous versions of Windows](/microsoft-365/security/defender-endpoint/onboard-downlevel) - Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender for Endpoint sensor. -- [Enable conditional access to better protect users, devices, and data](/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) +- [Enable conditional access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access) -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device's time isn't properly synced with our time servers and the time-syncing service is disabled, we'll provide the option for you to turn it back on. -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. +We're continuing to work on how other security apps you've installed show up in the **Windows Security** app. There's a new page called **Security providers** that you can find in the **Settings** section of the app. Select **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers' apps or get more information on how to resolve issues reported to you through **Windows Security**. -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). +This improvement also means you'll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you'll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) +- [Averting ransomware epidemics in corporate networks with Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Microsoft Malware Protection Center blog](https://www.microsoft.com/security/blog/category/research/ransomware/) Also see [New capabilities of Microsoft Defender for Endpoint further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) -Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). +Get a quick, but in-depth overview of Microsoft Defender for Endpoint for Windows 10: [Defender for Endpoint](/microsoft-365/security/defender-endpoint/). - +### Information protection -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. +Improvements have been added to Windows Information Protection and BitLocker. #### Windows Information Protection -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure). -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For more information, see [How to collect Windows Information Protection (WIP) audit event logs](/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs). -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive files on-demand for the enterprise](https://techcommunity.microsoft.com/t5/microsoft-onedrive-blog/onedrive-files-on-demand-for-the-enterprise/ba-p/117234). ### BitLocker -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#configure-minimum-pin-length-for-startup). #### Silent enforcement on fixed drives -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (Azure AD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don't pass the HSTI. -This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. +This change is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) and used by Intune and others. ### Identity protection @@ -194,50 +185,46 @@ Improvements have been added are to Windows Hello for Business and Credential Gu #### Windows Hello for Business -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you aren't present. -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) include: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](/mem/intune). -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset). -[Windows Hello](/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). +[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/index) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration). -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Windows Hello is now password-less on S-mode. - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider. + +- It's easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: device Bluetooth is off). - For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) #### Windows Defender Credential Guard -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. > [!NOTE] -> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. +> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). +For more information, see [Credential Guard Security Considerations](/windows/security/identity-protection/credential-guard/credential-guard-requirements#security-considerations). ### Other security improvements #### Windows security baselines -Microsoft has released new [Windows security baselines](/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](/windows/security/threat-protection/security-compliance-toolkit-10) has been published. +Microsoft has released new [Windows security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security effect. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10). #### SMBLoris vulnerability @@ -245,57 +232,52 @@ An issue, known as _SMBLoris_, which could result in denial of service, has been #### Windows Security Center -Windows Defender Security Center is now called **Windows Security Center**. +Windows Defender Security Center is now called **Windows Security Center**. -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. +You can still get to the app in all the usual ways. Ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Microsoft Defender Antivirus** and **Windows Defender Firewall**. -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. +The WSC service now requires antivirus products to run as a protected process to register. Products that haven't yet implemented this functionality won't appear in the Windows Security Center user interface, and Microsoft Defender Antivirus will remain enabled side-by-side with these products. -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. +WSC now includes the Fluent Design System elements you know and love. You'll also notice we've adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you've enabled that option in **Color Settings**. -![Security at a glance.](../images/defender.png "Windows Security Center") +:::image type="content" source="../images/defender.png" alt-text="Screenshot of the Windows Security Center."::: -#### Group Policy Security Options +#### Group policy security options -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. +[**Interactive logon: Don't display username at sign-in**](/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise LTSC 2019. This security policy setting determines whether the username is displayed during sign-in. It works with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. #### Windows 10 in S mode -We’ve continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: +We've continued to work on the **Current threats** area in [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: -> [!div class="mx-imgBorder"] -> ![Virus & threat protection settings in Windows S mode.](../images/virus-and-threat-protection.png) +:::image type="content" source="../images/virus-and-threat-protection.png" alt-text="Screenshot of the Virus & threat protection settings in Windows."::: ## Deployment ### MBR2GPT.EXE -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise LTSC 2019 (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also run from the full Windows 10 operating system. -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports other partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. +Other security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). +For more information, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). ### DISM The following new DISM commands have been added to manage feature updates: -- **DISM /Online /Initiate-OSUninstall** - - Initiates an OS uninstall to take the computer back to the previous installation of windows. +- `DISM /Online /Initiate-OSUninstall`: Initiates an OS uninstall to take the computer back to the previous installation of windows. -- **DISM /Online /Remove-OSUninstall** - - Removes the OS uninstall capability from the computer. +- `DISM /Online /Remove-OSUninstall`: Removes the OS uninstall capability from the computer. -- **DISM /Online /Get-OSUninstallWindow** - - Displays the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Get-OSUninstallWindow`: Displays the number of days after upgrade during which uninstall can be performed. -- **DISM /Online /Set-OSUninstallWindow** - - Sets the number of days after upgrade during which uninstall can be performed. +- `DISM /Online /Set-OSUninstallWindow`: Sets the number of days after upgrade during which uninstall can be performed. For more information, see [DISM operating system uninstall command-line options](/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). @@ -303,129 +285,106 @@ For more information, see [DISM operating system uninstall command-line options] You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. -Prerequisites: +Prerequisites: + - Windows 10, version 1803 or Windows 10 Enterprise LTSC 2019, or later. - Windows 10 Enterprise or Pro For more information, see [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. +It's also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. `/PostRollback [\setuprollback.cmd] [/postrollback {system / admin}]` -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#postrollback). New command-line switches are also available to control BitLocker: -- **Setup.exe /BitLocker AlwaysSuspend** - - Always suspend BitLocker during upgrade. +- `Setup.exe /BitLocker AlwaysSuspend`: Always suspend BitLocker during upgrade. -- **Setup.exe /BitLocker TryKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, then suspend BitLocker and complete the upgrade. +- `Setup.exe /BitLocker TryKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, then suspend BitLocker and complete the upgrade. -- **Setup.exe /BitLocker ForceKeepActive** - - Enable upgrade without suspending BitLocker, but if upgrade does not work, fail the upgrade. +- `Setup.exe /BitLocker ForceKeepActive`: Enable upgrade without suspending BitLocker, but if upgrade doesn't work, fail the upgrade. -For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33). +For more information, see [Windows Setup Command-Line Options](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#bitlocker). ### Feature update improvements -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This change results in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/articles/were-listening-to-you/). ### SetupDiag [SetupDiag](/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. +SetupDiag works by searching Windows Setup log files. When it searches log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. ## Sign-in ### Faster sign-in to a Windows 10 shared pc -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc) in a flash! +If you have shared devices deployed in your work place, **Fast sign-in** enables users to quickly sign in to a [shared Windows 10 PC](/windows/configuration/set-up-shared-or-guest-pc). -**To enable fast sign-in:** +#### To enable fast sign-in 1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise LTSC 2019. 2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! +3. Sign-in to a shared PC with your account. - ![fast sign-in.](../images/fastsignin.png "fast sign-in") + :::image type="content" source="../images/fastsignin.png" alt-text="An animated image that demonstrates the fast sign-in feature."::: ### Web sign-in to Windows 10 -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). +Until now, Windows sign-in only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We're introducing "web sign-in," a new way of signing into your Windows PC. Web Sign-in enables Windows sign-in support for non-ADFS federated providers (e.g.SAML). -**To try out web sign-in:** +#### Try out web sign-in 1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. +2. Set the Policy CSP, and the Authentication and EnableWebSignIn policies to enable web sign-in. 3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. -![Sign-in option.](../images/websignin.png "web sign-in") +4. Select "Sign in" to continue. -## Windows Analytics + :::image type="content" source="../images/websignin.png" alt-text="A screenshot of the Windows sign-in screen that highlights the web sign-in feature."::: -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a General Availability Channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](/archive/blogs/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance +## Update Compliance Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. + For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Microsoft Defender Antivirus with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy +## Accessibility and privacy ### Accessibility -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/), a blog post. +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/). ### Privacy -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/configuration/diagnostic-data-viewer-overview) app. +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](/windows/privacy/diagnostic-data-viewer-overview) app. ## Configuration ### Kiosk configuration -The new chromium-based Microsoft Edge has many improvements specifically targeted to Kiosks. However, it is not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately [here](https://www.microsoft.com/edge/business/download). +The new chromium-based Microsoft Edge has many improvements targeted to kiosks. However, it's not included in the LTSC release of Windows 10. You can download and install Microsoft Edge separately. For more information, see [Download and deploy Microsoft Edge for business](https://www.microsoft.com/edge/business/download). -Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. +Internet Explorer is included in Windows 10 LTSC releases as its feature set isn't changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. -If you wish to take advantage of [Kiosk capabilities in Edge](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. +If you wish to take advantage of [Kiosk capabilities in Microsoft Edge](/previous-versions/windows/edge-legacy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](/windows/configuration/kiosk-methods) with a semi-annual release channel. ### Co-management -Intune and Microsoft Endpoint Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. +Intune and Microsoft Endpoint Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803). +For more information, see [What's New in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### OS uninstall period @@ -435,72 +394,70 @@ The OS uninstall period is a length of time that users are given when they can o Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard.](../images/bulk-token.png) - ### Windows Spotlight -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: +The following new group policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - **Turn off the Windows Spotlight on Action Center** - **Do not use diagnostic data for tailored experiences** - **Turn off the Windows Welcome Experience** -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) +For more information, see [Configure Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). ### Start and taskbar layout Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise LTSC 2019 adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: +[More MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - Settings for the User tile: [**Start/HideUserTile**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) - Settings for Power: [**Start/HidePowerButton**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). +- Other new settings: [**Start/HideFrequentlyUsedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](/windows/client-management/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist). ## Windows Update ### Windows Insider for Business -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization - especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](https://insider.windows.com/for-business). You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://insider.windows.com/for-business). - ### Optimize update delivery -With changes delivered in Windows 10 Enterprise LTSC 2019, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. +With changes delivered in Windows 10 Enterprise LTSC 2019, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Configuration Manager. It's also supported with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This support is in addition to current express support on Windows Update, Windows Update for Business and WSUS. >[!NOTE] > The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. +Delivery Optimization policies now enable you to configure other restrictions to have more control in various scenarios. Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization). +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/do/waas-delivery-optimization-reference#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/do/waas-delivery-optimization-reference#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/do/waas-delivery-optimization-reference#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/do/waas-delivery-optimization-reference#minimum-peer-caching-content-file-size) + +For more information, see [Configure Delivery Optimization for Windows updates](/windows/deployment/do/waas-delivery-optimization). ### Uninstalled in-box apps no longer automatically reinstall Starting with Windows 10 Enterprise LTSC 2019, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. -Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. +Additionally, apps de-provisioned by admins on Windows 10 Enterprise LTSC 2019 machines will stay de-provisioned after future feature update installations. This behavior won't apply to the update from Windows 10 Enterprise LTSC 2016 (or earlier) to Windows 10 Enterprise LTSC 2019. ## Management ### New MDM capabilities -Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). +Windows 10 Enterprise LTSC 2019 adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful group policy settings via MDM. For more information, see [Policy CSP - ADMX-backed policies](/windows/client-management/mdm/policy-configuration-service-provider). Some of the other new CSPs are: -- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. +- The [DynamicManagement CSP](/windows/client-management/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can't reach the management server when the location or network changes. The dynamic management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - The [CleanPC CSP](/windows/client-management/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. @@ -512,13 +469,11 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. +For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). -[Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management). ### Mobile application management support for Windows 10 @@ -528,13 +483,14 @@ For more info, see [Implement server-side support for mobile application managem ### MDM diagnostics -In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. +In Windows 10 Enterprise LTSC 2019, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we're introducing [Microsoft Message Analyzer](/message-analyzer/microsoft-message-analyzer-operating-guide) as another tool to help support personnel quickly reduce issues to their root cause, while saving time and cost. ### Application Virtualization for Windows (App-V) -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically clean up your unpublished packages after a device restart. +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise LTSC 2019 introduces two new PowerShell cmdlets, **New-AppVSequencerVM** and **Connect-AppvSequencerVM**. These cmdlets automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (`.appvt`) file, and letting you use PowerShell or group policy settings to automatically clean up your unpublished packages after a device restart. + +For more information, see the following articles: -For more info, see the following topics: - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) @@ -544,16 +500,16 @@ For more info, see the following topics: Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 diagnostic data](/windows/privacy/windows-diagnostic-data-1703) -### Group Policy spreadsheet +### Group policy spreadsheet -Learn about the new Group Policies that were added in Windows 10 Enterprise LTSC 2019. +Learn about the new group policies that were added in Windows 10 Enterprise LTSC 2019. -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) +- [Group policy settings reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) -### Mixed Reality Apps +### Mixed reality apps This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](/windows/application-management/manage-windows-mixed-reality). @@ -561,7 +517,7 @@ This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.wind ### Network stack -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core network stack features in the Creators Update for Windows 10](https://techcommunity.microsoft.com/t5/networking-blog/core-network-stack-features-in-the-creators-update-for-windows/ba-p/339676). ### Miracast over Infrastructure @@ -569,47 +525,47 @@ In this version of Windows 10, Microsoft has extended the ability to send a Mira #### How it works -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS and multicast DNS (mDNS). If the name isn't resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. -#### Miracast over Infrastructure offers a number of benefits +#### Miracast over Infrastructure offers many benefits - Windows automatically detects when sending the video stream over this path is applicable. - Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- Users don't have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. - No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection that both reduces the time to connect and provides a very stable stream. +- It works well with older wireless hardware that isn't optimized for Miracast over Wi-Fi Direct. +- It uses an existing connection that reduces the time to connect and provides a stable stream. #### Enabling Miracast over Infrastructure -If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: +If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, then you automatically have this new feature. To take advantage of it in your environment, you need to make sure the following requirement exist within your deployment: - The device (PC or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise LTSC 2019, or a later OS. - A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows device can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection. For example, using either WPA2-PSK or WPA2-Enterprise security. If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - As a Miracast source, the device must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this configuration by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. - Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. > [!IMPORTANT] -> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. +> Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don't have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. ## Registry editor improvements -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. +We added a dropdown that displays while you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. -![Reg editor.](../images/regeditor.png "Registry editor dropdown") +:::image type="content" source="../images/regeditor.png" alt-text="Screenshot of Registry Editor showing list of path completion."::: ## Remote Desktop with Biometrics Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and select **Connect**. -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also select **More choices** to choose alternate credentials. - Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. @@ -619,6 +575,6 @@ See the following example: ![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal") ![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016") -## See Also +## See also [Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 1e10461eea..6faf817654 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -4,10 +4,7 @@ ms.reviewer: manager: dougeby ms.author: aaroncz description: New and updated IT Pro content about new features in Windows 10 Enterprise LTSC 2021. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise LTSC 2021"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.localizationpriority: low ms.topic: article @@ -142,7 +139,7 @@ Windows Hello enhancements include: - Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox. - You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN. - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). - With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. - Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present. - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD. diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index e7ad13d805..8190b90e04 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, versions 1507 and 1511 (Windows 10) description: What's new in Windows 10 for Windows 10 (versions 1507 and 1511). -ms.assetid: 75F285B0-09BE-4821-9B42-37B9BE54CEC6 ms.reviewer: ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, versions 1507 and 1511 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index 509b7d10a0..48342fd24c 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1607 (Windows 10) description: What's new in Windows 10 for Windows 10 (version 1607). -keywords: ["What's new in Windows 10", "Windows 10", "anniversary update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1607 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index a62e914365..df0bb338ac 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -1,17 +1,14 @@ --- title: What's new in Windows 10, version 1703 description: New and updated features in Windows 10, version 1703 (also known as the Creators Updated). -keywords: ["What's new in Windows 10", "Windows 10", "creators update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.localizationpriority: high -ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617 +ms.localizationpriority: medium ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1703 for IT Pros @@ -44,8 +41,6 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. -![get bulk token action in wizard.](images/bulk-token.png) - ### Windows Spotlight @@ -232,7 +227,6 @@ Some of the other new CSPs are: - The [EnterpriseAppVManagement CSP](/windows/client-management/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. [Learn more about new MDM capabilities.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index 905d4ff2dd..ad9ebb3782 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1709 description: New and updated features in Windows 10, version 1709 (also known as the Fall Creators Update). -keywords: ["What's new in Windows 10", "Windows 10", "Fall Creators Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1709 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index f2f4dc5964..d8903b9bbb 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -1,16 +1,14 @@ --- title: What's new in Windows 10, version 1803 description: New and updated features in Windows 10, version 1803 (also known as the Windows 10 April 2018 Update). -keywords: ["What's new in Windows 10", "Windows 10", "April 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.reviewer: author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1803 for IT Pros @@ -147,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 9ce31284cc..d14888637d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -2,15 +2,13 @@ title: What's new in Windows 10, version 1809 ms.reviewer: description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803. -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski manager: dougeby ms.author: aaroncz -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1809 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md index 35ed9f16c3..30dde72ade 100644 --- a/windows/whats-new/whats-new-windows-10-version-1903.md +++ b/windows/whats-new/whats-new-windows-10-version-1903.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1903 description: New and updated features in Windows 10, version 1903 (also known as the Windows 10 May 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1903 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 3b33b31e96..7f89949678 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 1909 description: New and updated features in Windows 10, version 1909 (also known as the Windows 10 November 2019 Update). -keywords: ["What's new in Windows 10", "Windows 10", "November 2019 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 1909 for IT Pros diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 726580724f..a00b411668 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -1,16 +1,13 @@ --- title: What's new in Windows 10, version 2004 description: New and updated features in Windows 10, version 2004 (also known as the Windows 10 May 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby -ms.localizationpriority: high +ms.localizationpriority: medium ms.topic: article +ROBOTS: NOINDEX --- # What's new in Windows 10, version 2004 for IT Pros @@ -35,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings - Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995). -- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). +- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894). ### Windows Defender System Guard diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md index 436dc92f0d..b3f400dbeb 100644 --- a/windows/whats-new/whats-new-windows-10-version-20H2.md +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 20H2 description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). -keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H1.md b/windows/whats-new/whats-new-windows-10-version-21H1.md index 2fdba9bd26..f598d1913b 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H1.md +++ b/windows/whats-new/whats-new-windows-10-version-21H1.md @@ -1,11 +1,7 @@ --- title: What's new in Windows 10, version 21H1 description: New and updated features in Windows 10, version 21H1 (also known as the Windows 10 May 2021 Update). -keywords: ["What's new in Windows 10", "Windows 10", "May 2021 Update"] ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index d536eb04eb..da72022d30 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -3,9 +3,6 @@ title: What's new in Windows 10, version 21H2 for IT pros description: Learn more about what's new in Windows 10 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more. manager: dougeby ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: mobile ms.author: aaroncz author: aczechowski ms.localizationpriority: medium diff --git a/windows/whats-new/windows-10-insider-preview.md b/windows/whats-new/windows-10-insider-preview.md index 2e6f2191f7..61a499904f 100644 --- a/windows/whats-new/windows-10-insider-preview.md +++ b/windows/whats-new/windows-10-insider-preview.md @@ -2,8 +2,6 @@ title: Documentation for Windows 10 Insider Preview (Windows 10) description: Preliminary documentation for some Windows 10 features in Insider Preview. ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library author: dansimp ms.date: 04/14/2017 ms.reviewer: diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md index 623e6caba5..ec5cd6f23f 100644 --- a/windows/whats-new/windows-11-overview.md +++ b/windows/whats-new/windows-11-overview.md @@ -3,14 +3,10 @@ title: Windows 11 overview for administrators description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs. ms.reviewer: manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.collection: highpri ms.custom: intro-overview diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md index 91a6d66855..7f67c4a774 100644 --- a/windows/whats-new/windows-11-plan.md +++ b/windows/whats-new/windows-11-plan.md @@ -1,10 +1,7 @@ --- title: Plan for Windows 11 description: Windows 11 deployment planning, IT Pro content. -keywords: ["get started", "windows 11", "plan"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 262bf50024..532493e1e3 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -1,10 +1,7 @@ --- title: Prepare for Windows 11 description: Prepare your infrastructure and tools to deploy Windows 11, IT Pro content. -keywords: ["get started", "windows 11"] ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 8384e85778..b2aef79c6d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -2,14 +2,10 @@ title: Windows 11 requirements description: Hardware requirements to deploy Windows 11 manager: dougeby -ms.audience: itpro author: aczechowski ms.author: aaroncz ms.prod: w11 -ms.mktglfcycl: deploy -ms.sitesec: library ms.localizationpriority: medium -audience: itpro ms.topic: article ms.custom: seo-marvel-apr2020 ms.collection: highpri